Healthcare provider and payer organizations have been lulled into believing that compliance with the HIPAA Privacy, Security, and Breach Notification Rules translates into secure protected health information.

However, that’s not the case, and compliance and security are two entirely different paradigms, according to cybersecurity experts speaking at this week’s HIMSS16 conference in Las Vegas. They offered examples of ways to beef up security practices.

HIPAA requires that covered entities must conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of their risk management process. However, organizations are not given specific guidance on what IT security risk assessments should include, said Mac McMillan, CEO of healthcare security firm CynergisTek and chair of the HIMSS Privacy and Security Policy Task Force.


Mac McMillan, co-founder and CEO of CynergisTek.“HIPAA is pretty simple. It says you have to conduct a risk assessment. But it doesn’t tell you how often, how much, or what—just an enterprise security risk assessment—and it says you have to do one under Meaningful Use as well,” said McMillan.

Beyond what HIPAA and MU require, organizations must conduct a thorough evaluation of the potential risks and vulnerabilities to PHI. McMillan said risk assessments should be conducted on an ongoing or ad hoc basis in response to specific events—such as when major modifications are made to an organization’s IT environment—with the goal of determining the acceptable level of risk as well as identifying, correcting and preventing security problems.

Jay Adams, director of information security at Tallahassee Memorial Healthcare, a 770-bed facility in Tallahassee, Fla., agrees that having an accurate inventory of systems that contain PHI and where that data resides is critical to securing it. “You have to know where your data is sitting in order to determine what controls to put around it,” added Adams.

HIPAA requirements dictate that covered entities perform a periodic technical and non-technical evaluation of controls. However, McMillan takes the rule to task for not setting a minimum standard for compliance.  “Do I do a vulnerability scan once a week, once a month, once a year, or is it okay if I do it once a millennium?” he asked the HIMSS16 audience. “It doesn’t tell me what’s required.”  

When it comes to access management, McMillan also charged that one of the shortcomings of the HIPAA Security Rule is that it does not mandate two-factor authentication—which manages access to electronic PHI by requiring users to provide at least one additional form of identification beyond user name and password. Although HIPAA requires covered entities to verify that a person seeking access to electronic PHI has authorization, two-factor authentication is “not even talked about” in the Security Rule, he said.

“How many folks think that you don’t have to put a second factor on your elevated privileges today?” McMillan asked. “If nothing that the hacks in the last couple of years have proven, they’ve proven that we need to treat those privileges differently than we do all the others because they are the most dangerous privileges when the bad guys get their hands on them.”

With data breaches plaguing healthcare organizations and hackers actively targeting the industry, he strongly advocates that such security measures must be implemented to ensure the information is only accessible to those with the rights to access it. “What HIPAA tells us about access management is that we’re supposed to uniquely identify everybody who accesses PHI, but that doesn’t come close to the things that we actually need to do today.”

According to data recently released by the Office of the National Coordinator for Health IT, fewer than half (49 percent) of hospitals support an infrastructure for two-factor authentication. Critical access hospitals (35 percent) and small rural hospitals (40 percent) report the lowest levels of capability for two-factor authentication.

“You need to have a well-defined process in your organization that lays out what access levels or what data does an individual need to have access to,” recommended Tallahassee Memorial’s Adams. “All too often, in a lot of the cases where organizations get compromised, people have elevated levels of access that they shouldn’t have, and the ability to make changes to files that they shouldn’t even have access to.”

HIPAA also has too limited of a discussion on security awareness training, said McMillan.  Specifically, he cites the fact that the HIPAA Security rule includes four “addressable” topics: periodic security updates, procedures for guarding against, detecting and reporting malicious software; procedures for monitoring log-in attempts and reporting discrepancies; as well as procedures for creating, changing and safeguarding passwords.


“HIPAA says that we must train individuals on four topics. How many people think that four topics are actually adequate to make a user smart enough or aware enough to be able to function in today’s environment?” he asked. “We all know that’s not enough. They need much more than that. Training needs to be practical and experiential. One of the things that we’re finding is that all these (computer-based training courses) and annual refresher training just aren’t working. The retention on those is extremely low. But, the bad guys are coming all the time, and they’re changing how they’re coming.”

In particular, McMillan suggested there are certain hacker tactics of which users need to be aware, such as spear phishing attacks. “We need them to be able to identify simple and more sophisticated spear phishing messages today because healthcare has both of those,” said McMillan, who noted that a lot of the recent attacks have resulted in the compromise of credentials, requiring a complete reset of passwords at organizations.

“Typical HIPAA education awareness is not going to cut it anymore,” concluded Adams, who added that his organization now conducts phishing training. “It’s no longer a simple attack of scanning or trying to break through the firewall. Hackers are coming to the easiest target as possible—email. The training we put together educates our people on how to recognize these messages.”

(This article appears courtesy of our sister publication, Health Data Management)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access