Security should be a driving force and not an afterthought for senior executives and their boards.
It is important that senior executives require that their organization formally establish a credible cyber security program. It starts with setting strategic security objectives that must be achieved by December 31, 2016, and December 31, 2017. Think near-term, and think far! The organization must address security and compliance as a life-cycle, as a process. It will lower business risk!
My recommendation to senior leadership: select a security framework and establish HIPAA compliance within the context of the framework. There are essentially three options for security frameworks: HITRUST, ISO 27001, and NIST. I would recommend HITRUST. Be deliberate, disciplined, and steady to get HITRUST certified.
And always remember: cyber risk = disruptive business risk.
State of Enterprise Cyberattacks Today
Cyberattacks on today’s enterprise are a disruptive business risk. Consider these facts published by the Verizon Breach Investigations Report:
- In 93% of cases, it took attackers minutes or less to compromise systems. Organizations, meanwhile, took weeks or more to discover that breach or that a cyberattack had even occurred. It was typically customers or law enforcement that sounded the alarm, not the organization’s own security measures.
- 63% of confirmed data breaches involved leveraging weak, default or stolen passwords.
- New technologies such as the Internet of Things (IoT) threaten to give attackers new opportunities to compromise business assets.
- 70% of breaches involving insider misuse took months or years to discover.
- The median traffic of a Denial of Service (DoS) attack is 1.89 million packets per second – that’s like over 113 million people trying to access your server every minute!
HIPAA Compliance Failures of Entities Fined in 2016
- Failed to conduct a thorough risk and vulnerability assessment to all Electronic Protected Health Information (EPHI)
- Failed to implement appropriate policies and procedures to prevent, detect, contain and correct security violations
- Failed to implement physical safeguards for all workstations that access EPHI to restrict access to authorized users
- Failed to assign a unique user name and/or number for identifying and tracking user identity in information systems containing EPHI
- Failed to notify each individual whose unsecured EPHI was reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach.
7-Figure HIPAA Compliance Fines – Just the Start, Plus CAP + Attestation
Added to this business risk, are increased compliance fines for not addressing HIPAA compliance mandates for information privacy and security.
- Advocate Health Care settled the largest HIPAA fine of $5.55 million due to its failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its EPHI.
- The University of Mississippi Medical Center settled with a fine of $2.75 million largely due to no significant risk management activity, organizational deficiencies and lack of insufficient oversight.
In addition, fines always include a Corrective Action Plan (CAP), which requires a comprehensive HIPAA compliance program, mandated with attestation from an organization’s officer, over the duration of the CAP period, typically a minimum of two years, more likely, three years.
Advice from OCR – The HIPAA Enforcement Agency
“We hope the settlement sends a strong message to entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ EPHI is secure,” said Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to EPHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
“In addition to identifying risks and vulnerabilities to EPHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” she said. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to EPHI.”
Pabrai’s 12 Recommendations (Required, not Addressable!)
- Formally document and appoint a Chief Information Security Officer and a Compliance officer with responsibility, budget and authority to manage an enterprise program
- Conduct a comprehensive and thorough enterprise-wide risk analysis exercise annually (be disciplined on the timeline and process)
- Manage a technical vulnerability assessment and penetration testing program that formally assesses the following areas for security deficiencies: external, internal, wireless, firewall/DMZ, and mission critical application(s) (e.g. EHR system)
- Establish a credible enterprise risk management program – ensure every compliance and security gap identified has a formal, documented response and appropriate capabilities implemented; monitor actively
- Encrypt, not just password protect, sensitive information across all mobile devices, including laptops, tablets, and smartphones as well as other network devices such as multifunctional printers (copiers)
- Implement Mobile Device Management (MDM) capabilities to effectively manage the security of all mobile devices across the enterprise
- Develop, update and implement appropriate policies and procedures to prevent, detect, contain and correct security violations
- Ensure active physical safeguards for all workstations that access sensitive information such as Personally Identifiable Information (PII) or Protected Health Information (PHI) to restrict access to authorized users
- Assign unique user name and/or number for identifying and tracking user identity in information systems containing PHI (do not use generic credentials that can access confidential information)
- Notify each individual whose unsecured PII or PHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach
- Build a multi-prong approach for enterprise security awareness training for all members of the workforce. Raise the compliance knowledge bar for HIPAA and other applicable compliance and your enterprise security policies, continually with a robust training program.
- Finally, develop an enterprise cyber security program that is based on an industry recognized security framework (e.g. HITRUST, ISO 27001, NIST)