The Office for Civil Rights is promoting HIPAA as being able to prevent or substantially mitigate the impacts of a cyber attack. It is a bold statement from OCR and one that bears unpacking.
Basis of OCR’s Statement
Why is OCR asserting that HIPAA can prevent or substantially mitigate a cyber attack? The primary answer is the Security Rule within HIPAA. Hopefully, many understand that the HIPAA Security Rule is broken into three components: administrative, technical, and physical. Those areas are further divided into required and addressable elements. The categories of safeguards are what OCR focused on in its assertion though.
OCR doesn’t necessarily limit its promotion of the Security Rule to any one aspect. Instead, OCR picks examples from across the rule as helping prevent a cyber attack. Some of the specific components highlighted include education and the access controls for systems. Education is pushed because it is an opportunity to get the workforce informed about what is happening in the broader world and changing threats. It is very important to be aware of evolving threats as the evolution is occurring. Waiting for just the annual training is not sufficient. If information is only pushed out on an annual basis in what is often a boring, uninspired fashion, then the likelihood of important details being remembered is quite low. Instead, if information is pushed out on a regular basis using current events to highlight why the news is important, there is a chance of the new threat being a part of regular discussion.
Turning to access controls, OCR considered a few components of the access controls. Access looks at the breadth of information that an individual can get to and layers of control over access. Optimistically, most if not all understand that every person in an organization should not have access to all information. The scope of access should be limited to what is needed to perform one’s job function. Using myself as an example, I have no need to access protected health information maintained by my company. I don’t have direct contact with our customers for delivering services. Given that reality, I don’t have privileges to access our databases housing protected health information and I have no expectation of getting that access. We also limited the access as much as possible and review who has access regularly. If a new person needs access, we have a multi-step request process too just to ensure that we don’t inadvertently give unnecessary access.
It’s a Good Start
HIPAA is a good start, but it can only do so much. One important piece to keep in mind about the benefit from HIPAA is that it cannot be seen as just a box to check. OCR makes this point too. When compliance is viewed as something getting in the way of operations and not baked into an organization’s culture, it won’t do much positive. Checking a box means folks will try to do the bare minimum without thinking proactively or wholesomely.
In addition to needing to go beyond just checking the HIPAA box, it is also helpful to view HIPAA as creating a strong foundation. The Security Rule does not exactly define what measures to implement or what tools meet expected security standards. Instead, the Security Rule identifies certain practices and controls that should be implemented. Even in required elements, organizations need to internally identify the best means of implementing the control. The non-specific approach makes sense because the bulk of the Security Rule is actually quite dated at this point in time and the need to fit the rule to different size organizations.
Another reason to view the HIPAA Security Rule as a foundation is that it is really a policy and procedure driven requirement. The rule doesn’t necessarily impact broad considerations of how an organization builds its technology infrastructure or how to develop solutions. The rule really focuses on actions and behaviors. Additionally, the rule wants written policies that help demonstrate what it happening, so can become a little bit of a structured exercise that feels slightly artificial.
What is True Security?
If HIPAA is best viewed as a foundation, what is “true” or better security? First, it should be acknowledged that no system can ever be fully secure or immune from attack. A breach is an unfortunate inevitability for many reasons that are beyond the scope of the current discussion. For current purposes though, it is important just to accept that no form of security is foolproof.
To the second point, what can be done? Look at industry standards, security-focused guidance (NIST is the usual best place), and monitor ongoing developments. Good security is about finding new tools or means of configuring systems and understanding that the nature of threats will change. When a comprehensive and holistic approach is taken, then security has a chance to actually protect the information being housed.
Security is a constant effort that can feel thankless and without a return on investment. However, minimizing the likelihood of a compromise or being able to cut off an attack quickly is actually a good outcome. That can help maintain the reputation of an organization because privacy of information can be upheld as much as possible.
Future of Security
OCR’s push of the HIPAA Security Rule as being able to prevent or substantially mitigate most cyber attacks is understandable to a degree, but it could also create a false sense of security (repetition not intentional, but unavoidable). Even solid compliance with the rule that embeds the principles within the DNA of an organization can only do so much. As suggested, getting actually comprehensive and up-to-date security means looking to many other standards and areas of information. No single requirement or guidance can be a single source of truth. Instead, all available materials should be considered. Ultimately, good security is driven by the actions of each individual organization and all of the individuals within that organization. Who is up for the challenge?
This article was originally published on The Pulse blog and is republished here with permission.