Personal health information (PHI) in the form of electronic health records (EHRs) is a valuable target for cybercriminals. According to Managed Healthcare Executive, health agencies saw a 125 percent increase in data breaches in the last five years, while CSO Online notes that more than 392 million PHI records have been disclosed from nonhealth organizations keeping critical data on file — for example, finance, insurance and educational institutions.

To address these challenges the federal government has been shoring up support for the Health Insurance Portability and Accountability Act (HIPAA), but increasing compliance has done little to curb the rash of network attacks. Is HIPAA history in a post-EHR world?

Big Numbers, Big Risk?

According to the Centers for Disease Control (CDC), roughly 1.2 billion visits are made to physicians’ offices, emergency rooms and outpatient facilities each year. In the vast majority of these cases, doctors access EHRs to modify, transmit or record PHI and streamline the treatment and diagnostic process.

As HIT Consultant points out, however, the implementation cycle of health care IT is extremely long; while HIPAA passed in 1996, it wasn’t until 2003 that standards for electronic transactions were put in place. And despite widespread EHR adoption, the age and type of IT infrastructure used to access these records varies substantially.

Some of this infrastructure is decades old and relies on clunky, outdated desktops. Some is more modern and designed to be used with mobile devices but often doesn’t support the level of security necessary to ensure safe storage and risk-free transmission of data within — or beyond — the walls of a doctor’s office or hospital.

Forbes puts it simply: Health care agencies have become too focused on compliance with HIPAA and Affordable Care Act (ACA) regulations as a way to protect patient data despite the growing number of breaches of HIPAA-compliant databases. Why the disconnect? Because HIPAA and other health care acts aren’t IT security measures but basic handling practices. To secure PHI, a new standard is required.

Emerging Challenges

Ultimately, the health care technology landscape is fragmented as IT pros attempt to balance the usability required by doctors and nurses with the next-gen security required to protect interoperable desktops, mobile devices and cloud-based systems.

As noted by the University of Arizona, federal organizations are making efforts to shore up IT defenses. For example, the FDA recently released a set of guidelines for “wirelessly connected medical devices,” which recommends that manufacturers identify potential points of compromise in their offerings before they hit the market. But these guidelines aren’t enforceable standards; if manufacturers choose speed over security, health care agencies themselves must do the legwork of evaluating security performance.

Other challenges have also emerged. IT Business Edge notes that most health care applications aren’t secure and are susceptible to both code tampering and reverse engineering. Many organizations also rely heavily on the cloud, with “average” health agencies using over 900 cloud services.

The problem? Just seven percent meet typical enterprise security requirements. The Internet of Things (IoT) presents another challenge, with proof-of-concept tests already describing how devices like pacemakers and drug pumps can be hacked and used to harm patients. Bottom line? HIPAA covers only a tiny portion of the IT threat landscape, but is often viewed as a broad defense. The result is a massive — and growing — attack surface for motivated cybercriminals.

A Healthy Outlook?

So how does the health industry transition from mere compliance to cutting-edge IT security? The first step is accepting that all EHR and PHI security is IT security. This, in turn, should drive greater IT spending along with the development of a security-minded culture based on actual risk measurements rather than government-mandated compliance as the gold standard. Enhanced mobile device protection, encrypted data and cloud regulation also play a role in the health care IT treatment plan; to achieve significant results, agencies must opt for holistic rather than specific measures.

Here’s the takeaway: Health care organizations are enterprises. As such, they need comprehensive IT security plans to handle emerging threats. Just as the retail industry must do more than stay PCI DSS compliant to protect user data and banks must go beyond EMV standards to secure financial details, so, too, must health care move beyond the starting point of HIPAA to develop comprehensive, forward-thinking IT strategies.

More from Government

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read

The Biden Administration’s 2023 Cybersecurity Strategy

4 min read - The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape. Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President…

4 min read

What’s Going Into NIST’s New Digital Identity Guidelines?

4 min read - One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines. These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. What is Digital Identity? To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture. In its 2017 guidelines, NIST defines…

4 min read