Healthcare IT Security: Compliance nightmare on horizon Healthcare IT Security: Compliance nightmare on horizon

Healthcare IT Security: Compliance nightmare on horizon

by Calyptix, August 14, 2014

Healthcare ITHealthcare IT departments are failing to meet HIPAA network security requirements, according to a recent SANS report.

SANS is the largest and most trusted source of information security training and certification in the world. Its report estimates the number of compromised healthcare systems in the millions.

The report’s subtitle says it all:

“Widespread Compromises Detected; Compliance Nightmare on Horizon”

HIPAA security requirements unmet

The report’s data is from the Norse threat intelligence network, a global system of sensors and honeypots that collects data on malicious traffic.

The network recorded malicious traffic coming from healthcare systems for 13 months, tallying:

  • 49,917 unique malicious events
  • 723 unique malicious source IP addresses
  • 375 compromised healthcare organizations based in the U.S.

OK – so healthcare organizations are sending malicious traffic. What’s the big deal?

The HIPAA network security requirements say healthcare organizations must ensure the confidentiality, integrity, and availability of electronic patient data and protect it from threats and hazards.

But if healthcare networks are sending malicious traffic, then they have likely been compromised – which means they are almost certainly out of compliance with HIPAA IT requirements.

Healthcare devices are compromised

Healthcare IT security providers who want more clients should help prospects understand that a network is more than desktops and servers.

A healthcare network includes a litany of devices, many of which are compromised according to the SANS report:

healthcare-it-compromised-devices-chart

 

This chart shows the distribution of malicious traffic sources detected inside healthcare networks. Notice that the fourth largest source is “radiology imaging software.”

How many healthcare providers even realize that medical devices and radiology software can be hacked? HIPAA network security requirements suggest these systems should be locked-down.

Healthcare IT providers should help potential clients understand that any device connected to the network can be a route for hackers to break in and steal electronic patient health data.

Healthcare IT security is broken?

A jaw-dropping 56% of malicious events from healthcare organizations came from or passed through network edge devices such as firewalls, routers, and VPN systems.

While this may indicate healthcare IT security devices are compromised, a far likelier explanation is the devices are misconfigured or allowing malicious traffic to pass undetected from a compromised source within the network.

Since the Norse threat intelligence system has limited visibility into the healthcare networks, the edge devices were likely shown as the source when they were merely the middleman.

1 in 3 hacked healthcare providers is small

Small organizations of all types, healthcare and otherwise, love to ignore network security. Many think they are too small for hackers or regulators to target.

Healthcare IT service providers can help dispel this myth with this chart:

healthcare-it-compromised-organizations-chart

SANS estimates roughly 33% of the provider organizations caught in the Norse network are small providers, either individual practices or small groups with fewer than 10 providers.

A clear need exists for improved healthcare IT security at small organizations, particularly to meet HIPAA network security requirements.

Small, local doctors can no longer ignore this problem – because hackers are no longer ignoring them.

Related resources

HIPAA for IT Service Providers: Top 5 questions

HIPAA for IT Providers: The most important rules to know

HIPAA Hazards: Avoid the business associate trap

How AccessEnforcer  Fits with HIPAA

 

No Comments


    Leave a Reply

    Your email address will not be published Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    *