7 May 2016

Niam Yaraghi’s post ‘Patient privacy: Can past lessons prevent future failures?’, published May 5, 2016 on Brookings Techtank Blog, is absolutely worth reading. The post is a summary of the research report ‘Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches’. In this report Niam Yaraghi provides a superb root cause analysis of the data breaches in the U.S. health care industry of the last years, and some recommendations for getting a grip on the problem.

A big issue comes from HIPAA itself. HIPAA came into force in 1996. With that, it falls short of addressing modern cyber security challenges. The statements of a CIO on page 18 of the report make this impressively clear:

“HIPAA reflects how nerds thought about security 20 years ago.”

“HIPAA is in complete disconnect with the realities of today’s digital technology and we cannot expect a national standard to be agile enough and be in pace with cyber technology. For example, HIPAA has nothing about malware and ransomware, intrusion detection, specific cyber incident responses, or multifactor authentications.”

It is the same old story with standards. Without regular review and adaptation, the effectiveness of standards decreases dramatically. For that reason, ISO 27001 demands the implementation of a risk management process according to ISO 27005. This ensures that changes in external conditions, e.g. new cyber security challenges, are considered during risk assessment even if internal conditions have not changed.

The report lays out some recommendations on how to mitigate the problem.

• The health care sector should embrace cyber insurance

This is a really interesting idea. A cyber insurance has the potential to become a game-changer because organizations will have a direct economic incentive to cut insurance costs.

• OCR should establish a universal HIPAA certification system

To me, this sounds like reinventing the wheel. HIPAA should be developed further to meet today’s cyber security challenges. But this must not inevitably lead to a new umbrella standard.

I would propose to develop a smart HIPAA standard on top of a ISO 27001 ISMS. This has the big advantage that it can be quickly adapted to meet new cybersecurity challenges. In addition, health care businesses can start immediately managing risks by implementing an ISMS due to ISO 27001.

Have a good weekend.