Although compliance rules are supposed to set minimum standards for protecting data, many companies treat them as maximum benchmarks. “Cases like Premera and thousands of others are proof that if you follow compliance — the checkbox approach to security — it doesn’t mean you’re more secure,” said Torsten George, vice president for marketing at Agiliance.
This article, originally published on TechNewsWorld is part of our Industry News Highlights series, making sure our readers see the most popular Privacy, Security, Compliance and Information Risk Management news each week.
The recent data breach at Premera Blue Cross — in which the personal information of some 11 million customers was compromised — raises questions about how effective government regulators are at ensuring that healthcare providers adequately protect their patients’ data.
There have been abundant warnings that compliance with government regulations alone would not be adequate to protect companies from the kinds of cyberthreats the world faces today. However, Premera learned that lesson the hard way.
Auditors with the U.S. Office of Personal Management in January 2014 recommended that Premera address two areas of system administration: more timely installation of software patches and upgrades; and creation of configuration baselines so it could effectively audit its server and database security settings.
However, those weren’t very serious deficiencies in the minds of the auditors, who wrote in their final report released in November, that “nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.”
The company was breached in May 2014. Although that was six months before the feds released their final audit report, Premera didn’t discover the breach until January 2015.
Granted, the OPM’s audit was a general one — one designed to audit information systems related only to the claims processing applications used at Premera — and not as rigorous as those conducted for compliance with HIPAA security and privacy regulations by the U.S. Office of Civil Rights.
“The scope and depth of the OPM audit was likely just a subset of what would have been covered by a true HIPAA audit conducted by OCR,” said Ulf Mattsson, CTO of Protegrity.
“Based on the information provided in the audit report, there’s no way to know for sure how Premera would have performed if it had been audited by OCR,” he told TechNewsWorld.
“The problems cited by the audit are probably pretty common to all organizations. While fixing those problems can improve an organization’s security posture slightly, by no means were they likely the cause of the massive data breach at Premera,” Mattsson said.
“The storing of sensitive data without being encrypted is the more likely culprit,” he added.
It’s unlikely that even a rigorous audit would have deterred Premera’s data thieves.
“Since HIPAA does not require companies to encrypt their data at rest, even passing a true HIPAA audit by OCR may not have prevented the Premera breach,” Mattsson said.
Although compliance rules are supposed to set minimum standards for protecting data, many companies treat them as maximum benchmarks.
“Cases like Premera and thousands of others are proof that if you follow compliance — the checkbox approach to security — it doesn’t mean you’re more secure,” said Torsten George, vice president for marketing at Agiliance.
“You can schedule an audit, but you can’t schedule a cyberattack,” he told TechNewsWorld.
“You have to change your way of thinking. You have get away from these three-to-six-month sprints to get to compliance and then forget about it,” George said.
“Security needs to be part of your day-to-day operations,” he added, “not just something you do to get through an audit review.”
Healthcare security audits have some fundamental problems. “HIPAA is focused on prevention of threats,” said Mike Davis, CTO of CounterTack.
“As we all know, prevention doesn’t always work. Hackers still get in,” he told TechNewsWorld.
“There’s very little in HIPAA that requires healthcare institutions to detect threats,” Davis added. For example, HIPAA requires access to patient records be restricted, but it doesn’t require that access to the records be monitored.
“You lock down the users, so only Bob can access patient information, but if an attacker takes over Bob’s account, he has access to the patient information and you’d never know,” he explained.
The standards used by HIPAA are outdated, maintained Tom Kellermann, chief cybersecurity officer for Trend Micro.
“They’re based on perimeter defense, and they’re over reliant on encryption of data,” he told TechNewsWorld.
“They focus on threats relevant 10 years ago,” Kellermann continued. “The threats today are a thousand times more sophisticated.”
- March 23. Twitch informs users that some of their accounts were accessed by unauthorized parties. It expires all passwords and stream keys, as well as disconnecting accounts from Twitter and YouTube.
- March 24. TransUnion Healthcare releases survey that finds more than half of recent hospital patients were willing to change providers if their current provider suffered a data breach; 65 percent of patients said they would avoid a provider that experienced a data breach.
- March 25. Secunia reports 15,435 vulnerabilities were found in 3,870 applications in 2014 — an 18 percent increase over 2013. It also noted that patches were available for 83 percent of the vulnerabilities on the day they were made public.
- March 26. Cylance identifies vulnerability in ANTLabs InnGate routers that could lead to remote execution of code on devices connected to those routers, which commonly are installed in hotels and convention centers.
- March 26. Citigroup warns its employees that they should be mindful that cybersecurity at law firms is below the standards of other industries. Citi also was critical of the unwillingness of large law firms to discuss or acknowledge data breaches with law enforcement and corporate clients.
- March 27. Class action lawsuit filed in Washington state federal court against Premera Blue Cross for data breach revealed earlier this month that compromised personal information of 11 million customers.
- March 27. Court of Appeals in United Kingdom rejects motion by Google to dismiss lawsuit alleging the company tracked users of Apple’s Safari Web browser without authorization and in violation of UK privacy laws.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.