be Smart.
be Secure.
Phone: 800-441-6612

Why HIPAA Compliance for many organizations is like Sony Picture’s security policies

Sony Pictures2014 has been a year of turmoil in terms of Internet security.  There have been huge vulnerabilities (e.g. POODLE, SHELLSHOCK, and more) and large scale attacks such as that on the Sands Casino by Iran in February, to the worst one of all, the Sony Pictures Hack.

It is arguable that it is impossible to secure an organization of any significant size from penetration by a determined hacker (or government organization or nation state).   Cases in point: consider the attack on the Sands Casino and recent revelations into extremely sophisticated malware such as reign.  This does not mean that we throw up our hands.

What it does mean is that we need to take security measures seriously, consider them worth the expense, and know that security is a process and not something you “do once.”

What does this have to do with HIPAA Compliance?

The ultimate goal of HIPAA is to protect identifiable patient information.  The scope of HIPAA is extremely broad … from dentists working in their homes, to large hospital chains, to law firms that interact with medical organizations, to web development firms that create sites and software for doctors, etc.  As HIPAA rules, requirements and penalties were rapidly evolving starting with HITECH in 2010 through Omnibus in 2013, affected organizations suddenly had a myriad of technical rules to follow “or else.”

The big guys with large IT staff took this in stride and, in most cases, got on top of things by implementing policies and procedures that are more or less compliant…. and by continuing to evolve these practices.

For the smaller and medium-sized organizations, time, money, and expertise are less plentiful (though some may argue that expertise is not very plentiful anywhere).  Here we have seen some of the following philosophies predominating:

  1. I don’t really care about the details of HIPAA compliance for security … we’re probably fine and we’re small, anyway, so no one will attack us.
  2. Let’s just buy something and forget about it … I don’t want to spend the time to learn what I am expected to do.  Someone should just take care of that for me.
  3. We don’t think it’s worthwhile to spend all this money to be fully compliant.  It will be cheaper to pay the cost of a breach if it ever happens — which it probably won’t.

Let’s compare this to Sony Pictures’ (now former) stance on security:

  1. Sony would ignore reports of security violations made by employees.
  2. Only 11 of their 7000 employees were tasked with information security (and that includes 3 security analysts and 8 managers).
  3. Sony did Risk Assessments to identify vulnerabilities; however, it failed to do anything about them.
  4. In 2007, Sony’s Information Security Director was quoted saying that it is a valid business decision to accept the risk of a security breach and that he would not invest $10 million to avoid a possible $1 million loss.  His estimation of the real cost of a breach was clearly very far off.
  5. Sony’s employees used terribly poor passwords

Does this sound familiar?

Many organizations required to be HIPAA-compliant exhibit the same kind of attitude: head in the sand; not worth the time and money; it doesn’t matter, it won’t affect us; if it does, it won’t be a big deal.

The security community agrees if anything good has come out of the Sony Hack, and other issues this year, it is an increased awareness that these kinds of attacks can and do occur — and that the impact can be devastating.  That, coupled with increasing attacks on small and medium organizations, places everyone at higher risk than most people previously considered.

And what is worse for those under the umbrella of HIPAA?  The fines imposed by Health and Human Services for a breach can be very, very high.  If even a fraction of the information stolen from Sony Pictures had been ePHI and Sony had to abide by HIPAA, it is hard to imagine the sheer size of the fine … it boggles the mind.

A Shift in Perspective for HIPAA Compliance

It is part of human nature that change often comes only through pain or fear.  This year’s security history surely should go a long way to revising opinions as to where money and attention should be allocated and to what degree organizations will actively and continuously update their security and legitimately maintain their compliance.

As first steps towards improvement, I would recommend:

  1. Make sure you actually perform risk assessments and actually take steps to remediate problems based on the threat they pose.
  2. Use an outside assessment agency to determine your risk and compliance level, especially if your team does not have the skill set to do this themselves.  Even if they do, fresh eyes with different tools will often find things that you miss — as would external attackers.
  3. Outsourcing services toestablishedHIPAA-compliant providers can go a long way to:
    1. reducing your own internal compliance and IT overhead
    2. reducing your risk profile
    3. saving you money in the short and long term
  4. Educate your staff
    1. HIPAA training is a requirement of HIPAA
    2. Employees should be familiar with and use things like strong passwords and encryption
    3. Employeesshould be educated in behaviors and technologiesthathave been identified as Risks for your organization.  E.g.
      1. Mobile devices used for HIPAA and encryption
      2. Storage of ePHI and the movement of ePHI in and out of the office
      3. Sharing and storage of login credentials
      4. Changing passwords and never using system default passwords
  5. Keep your software updated: apply changes, patches, and other security updates quickly

Learn more:

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries