It’s Time to Reframe Cybersecurity as an Essential Part of Patient Care

Sadly, it’s happened: As reported in the New York Times, on September 10 a woman fighting for her life was turned away from the University Hospital, Düsseldorf because hospital servers were infected with ransomware. With vital systems crashing, emergency treatment could not be administered. By the time the woman could receive services – in another hospital, 20 miles away – the hour delay resulted in her death. 

A quick survey of 3 recent breaches - including one very high profile case -  reminds us to be especially vigilant to avoid these all-too-common scenarios with protected health information

Breach #1: PHI on paper – even in your personal briefcase – isn’t good protection, and can lead to a breach of PHI

The following breach serves as a case-in-point: On July 2, 2020, a doctor from Lee Moffitt Cancer Center and Research Institute in Tampa left a briefcase in his car – never a safe place for paper files with PHI to reside – and the briefcase was stolen.   

Congratulations, you’ve made a wise choice to entrust your sensitive data to a proven, HIPAA compliant hosting specialist like HIPAA Vault! But wait – in terms of overall compliance, what does that really mean?

It does mean that the technical infrastructure we employ to host your sensitive data is fully compliant – expertly designed with multiple layers of security to protect your ePHI both in storage and in transit. Years of security and hosting expertise along with dedicated, live customer service work together to make “the HIPAA Vault difference.” 

They say you never know until it hits you. Whoever “they” are, they’ve got a point – especially if the “it” is failing to secure someone’s personal, protected health information (PHI). Once this sensitive data is divulged, the genie is out of the bottle – and the impact can be staggering.  

Just ask Advocate Health System, past bearers of a $5.5 million fine from the Office of Civil Rights (OCR) for allowing 4 million records to be breached (in 3 separate occasions), back in 2013. Among the security lapses was an unencrypted laptop containing patient records, stolen from an employee’s car.

Even more than the costly, regulatory fines that may come with HIPAA violations, ($100 to $50,000 per incident, depending on your degree of negligence, such as failures to do risk assessments and encrypt devices), the real issue is your customer’s welfare. If their personal, protected health information is made public, it damages them personally. Not only will you have lost the trust of someone you’ve sworn to “do no harm to,” but they may even decide to take legal action against you for damages.  

In the world of compliance requirements, two types of business practices are generally distinguished. The first, known as the “private sector,” are those regulations that apply to the for-profit, commercial industry. These may include HIPAA (for protected health information), SOX (for financial reporting), GLB (pertaining to information sharing), and others.

The “public sector,” on the other hand, is the business of the US Federal Government, and may include these governing security controls as well as the requirements of FISMA.

FISMA, or the Federal Information Security Management Act (enacted in 2002 and modernized in 2014) requires all agencies to protect sensitive data, according to the relevant information security guidelines of the FIPS 199 & 200 publications, and the technical configurations found in the NIST (National Information Security and Technology) 800 series, especially SP-800-53. 

Protecting your Patient’s Privacy –

it’s a necessity for sensitive data like protected health information (PHI). 

And yet, HIPAA regulations can seem a bit vague about exactly how should be done. Actually, that’s intentional; HIPAA wasn’t intended to endorse specific technical solutions. 

Your patients value your counsel, and are willing to share with you their deepest, personal struggles. As a therapist, you handle that information as a sacred trust. Unfortunately, that trust may be broken – however unintended – through an unwise use of technology.  

No doubt, technology allows for flexibility in the way you share and store protected health information; you harness the tools that best fit the needs of your practice. 

Have you thought about a HIPAA Compliant Email Solution for you (Therapists)?

When it comes to deploying applications and services at scale, the ability to use efficient, containerized pieces of software has clearly changed the game. 

Containers are highly valued for their portability and ability to run on various environments – including local desktops, virtual and physical servers, test and production environments, and in private or public clouds. As widespread adoption of containers continues, Gartner’s prediction that more than “70% of global organizations will run containerized applications by 2022” certainly seems accurate. 

But what about security, particularly for healthcare applications? The good news is container systems like Kubernetes can be HIPAA Compliant, with the right security measures applied. (If you paused reading the last sentence and thought Kuber-what?, here’s a quick overview):

In part-1 of our interview with Ricoh Danielson, we discussed how a comprehensive, “real world” penetration test (also known as ethical hacking) can help you fix the gaps in your company’s security. 

Why do you need it? 

Let’s take a moment to recap why you need it: for those in healthcare especially, cybercrime represents an enormous risk to both patients and health organizations. The beauty of an objective pen test report from someone “outside” your organization is that the IT team as well as executives can see their security blind spots, and leverage this “early detection” to make changes. Your sensitive patient data can be better protected, while saving you a bundle in potential breach costs, downtime, and remediation. 

That said, let’s continue our conversation with Ricoh:

Part 1 of an interview with Ricoh Danielson, Information Security Expert

Ricoh Danielson is an impressive guy. From his time serving as a US Army Combat soldier in Iraq, to becoming a legal advocate for veterans in their battle to receive PTSD treatment; then later developing his security expertise in digital forensics for law enforcement and the military, Ricoh has dedicated himself to a singular passion: protecting others.

Now a leader in Information Security, Ricoh has turned his sights on healthcare – an industry frequently targeted for cyber attack. It was a privilege to speak with him recently about how healthcare organizations can improve their critical security posture, and specifically, the need for penetration testing – a practice that fits in well with a comprehensive, HIPAA compliance program: