Adam Kehler

I was recently asked the following question: “Can Health Centers adopt the less stringent password measures recently updated in [NIST Special Publication (SP) 800-63-B] and still be compliant under the HIPAA Security Rule?” This is a great question that isn’t quite as simple as it may seem. It requires an understanding of what the NIST Digital Identity Guidelines are, their place in enforcement, and how to interpret HIPAA requirements as they relate to authentication.

Another HIMSS Conference has come and gone, complete with thousands of attendees, hundreds of sessions, a trade floor that measured in acres, and headliner keynotes. There is something for everyone at HIMSS and each attendee will have gotten something different out of attending. For me it was a chance to connect with colleagues, make some new acquaintances, meet some people in person that I had only worked with virtually, attend some sessions, and speak with vendors.

My focus for the conference was Privacy and Security. For anyone in this field, there is always a lot to take in at the HIMSS conference. Several sessions were offered that focused on Privacy and Security and there are countless vendors touting “secure this,” “secure that,” and “HIPAA Compliant everything.”

Is your information security program stuck in the middle ages? Are you still just protecting the castle walls or have you taken a step forward into the modern times where you must assume your outer perimeter will be breached.

Healthcare organizations are notorious for applying minimal security measures, which generally consist of firewall and anti-virus precautions to prevent attackers from penetrating their systems. This is an antiquated method that simply doesn't work. You need to think more strategically and prepare your organization for impending attacks by assuming that your defenses will be breached. In fact, 56% of organizations say it is unlikely or highly unlikely that they would be able to detect a sophisticated attack. On top of that, it takes an average of over 200 days for an organization to simply detect an attack of any severity. Those are some scary stats to consider when people’s personal information is at stake.

Recently, The Office for Civil Rights (OCR) announced a $5.55 million settlement with Advocate Health Care in response to a breach of electronic Protected Health Information (ePHI) affecting approximately four million individuals. This is the largest OCR settlement in response to a breach to date.  Among other things, the settlement agreement indicated that Advocate failed to:

The year 2015 was known as “the year of the megabreach” and, given the year we’ve had so far, 2016 will undoubtedly be known as “the year of Ransomware.” These threats affect all organizations that have a computer connected to the Internet. The attacks are the same, the affected computers are the same, and the results are the same – well, mostly. Whether it’s the government, industrial control systems, or the financial, entertainment, or healthcare industries, attackers are agnostic. They don’t care what information you have or how it is stored; if they can turn it into personal gain, they will attack it.