Why HIPAA Compliance for many organizations is like Sony Picture’s security policies

December 17th, 2014

Sony Pictures2014 has been a year of turmoil in terms of Internet security.  There have been huge vulnerabilities (e.g. POODLE, SHELLSHOCK, and more) and large scale attacks such as that on the Sands Casino by Iran in February, to the worst one of all, the Sony Pictures Hack.

It is arguable that it is impossible to secure an organization of any significant size from penetration by a determined hacker (or government organization or nation state).   Cases in point: consider the attack on the Sands Casino and recent revelations into extremely sophisticated malware such as reign.  This does not mean that we throw up our hands.

What it does mean is that we need to take security measures seriously, consider them worth the expense, and know that security is a process and not something you “do once.”

What does this have to do with HIPAA Compliance?

The ultimate goal of HIPAA is to protect identifiable patient information.  The scope of HIPAA is extremely broad … from dentists working in their homes, to large hospital chains, to law firms that interact with medical organizations, to web development firms that create sites and software for doctors, etc.  As HIPAA rules, requirements and penalties were rapidly evolving starting with HITECH in 2010 through Omnibus in 2013, affected organizations suddenly had a myriad of technical rules to follow “or else.”

The big guys with large IT staff took this in stride and, in most cases, got on top of things by implementing policies and procedures that are more or less compliant…. and by continuing to evolve these practices.

For the smaller and medium-sized organizations, time, money, and expertise are less plentiful (though some may argue that expertise is not very plentiful anywhere).  Here we have seen some of the following philosophies predominating:

  1. I don’t really care about the details of HIPAA compliance for security … we’re probably fine and we’re small, anyway, so no one will attack us.
  2. Let’s just buy something and forget about it … I don’t want to spend the time to learn what I am expected to do.  Someone should just take care of that for me.
  3. We don’t think it’s worthwhile to spend all this money to be fully compliant.  It will be cheaper to pay the cost of a breach if it ever happens — which it probably won’t.

Let’s compare this to Sony Pictures’ (now former) stance on security:

  1. Sony would ignore reports of security violations made by employees.
  2. Only 11 of their 7000 employees were tasked with information security (and that includes 3 security analysts and 8 managers).
  3. Sony did Risk Assessments to identify vulnerabilities; however, it failed to do anything about them.
  4. In 2007, Sony’s Information Security Director was quoted saying that it is a valid business decision to accept the risk of a security breach and that he would not invest $10 million to avoid a possible $1 million loss.  His estimation of the real cost of a breach was clearly very far off.
  5. Sony’s employees used terribly poor passwords

Does this sound familiar?

Many organizations required to be HIPAA-compliant exhibit the same kind of attitude: head in the sand; not worth the time and money; it doesn’t matter, it won’t affect us; if it does, it won’t be a big deal.

The security community agrees if anything good has come out of the Sony Hack, and other issues this year, it is an increased awareness that these kinds of attacks can and do occur — and that the impact can be devastating.  That, coupled with increasing attacks on small and medium organizations, places everyone at higher risk than most people previously considered.

And what is worse for those under the umbrella of HIPAA?  The fines imposed by Health and Human Services for a breach can be very, very high.  If even a fraction of the information stolen from Sony Pictures had been ePHI and Sony had to abide by HIPAA, it is hard to imagine the sheer size of the fine … it boggles the mind.

A Shift in Perspective for HIPAA Compliance

It is part of human nature that change often comes only through pain or fear.  This year’s security history surely should go a long way to revising opinions as to where money and attention should be allocated and to what degree organizations will actively and continuously update their security and legitimately maintain their compliance.

As first steps towards improvement, I would recommend:

  1. Make sure you actually perform risk assessments and actually take steps to remediate problems based on the threat they pose.
  2. Use an outside assessment agency to determine your risk and compliance level, especially if your team does not have the skill set to do this themselves.  Even if they do, fresh eyes with different tools will often find things that you miss — as would external attackers.
  3. Outsourcing services toestablishedHIPAA-compliant providers can go a long way to:
    1. reducing your own internal compliance and IT overhead
    2. reducing your risk profile
    3. saving you money in the short and long term
  4. Educate your staff
    1. HIPAA training is a requirement of HIPAA
    2. Employees should be familiar with and use things like strong passwords and encryption
    3. Employeesshould be educated in behaviors and technologiesthathave been identified as Risks for your organization.  E.g.
      1. Mobile devices used for HIPAA and encryption
      2. Storage of ePHI and the movement of ePHI in and out of the office
      3. Sharing and storage of login credentials
      4. Changing passwords and never using system default passwords
  5. Keep your software updated: apply changes, patches, and other security updates quickly

Learn more: