I read with interest this morning that “Health Providers, Other HIPAA-Covered Entites Must Comply With New Data Breach Notification Rules Beginning September 24“.
The U.S. Department of Health and Human Services (HHS) yesterday (August 19, 2009) issued “breach notification” regulations requiring health care providers, health plans and other covered entities (Covered Entities) under the personal health information privacy and security rules of the Health Insurance Portability & Accountability (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. Scheduled for publication in the Federal Register on August 24, 2009, the new breach notification regulations are part of a series of new rules that implement new electronic personal health information data security and data breach notification requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). Covered entities must begin complying with the new rules no later than September 24, 2009.
Adding to this…
The new data breach notification rules are part of a series of recent HIPAA enacted under the HITECH Act to strengthen the federal rules requiring HIPAA covered entities to safeguard electronic and certain other protected health information.
I’m still waiting to see what changes were made in respecting to tightening the wording around “breach” and “unsecured”, but I suspect that two things will be true:
- It’ll be an improvement,
- It won’t go as far as most security practitioners would like
Regardless, these regulations governing the notification of security breaches within the health care industry (i.e. HIPPA-covered entities) are over due and I hope they have some positive impact. In the past I’ve found health care providers to have particularly weak network security (compared to the standard enterprise environment). That is not to say that their security teams aren’t working damned hard on securing their infrastructure – but more to the fact that they are subject to so many mandated inhibitors that prevent them from an optimal security strategy. For example – the time delays between an OS vendor patch being “validated” by a medical equipment manufacturer and the application of that patch being installed subject to insurance coverage.
There still a lot of work to be done in this area – in particular the ambiguity of some of this terminology.For example, “Unsecured protected health information” is defined as protected health information that is not secured through the use of a technology or methodology specified by the HHS Secretary – which can be as strict or as vague as you would like to interpret it.
Perhaps most telling of the impact on HIPPA-covered entities will be…
The new data breach regulations implement the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach and the form, manner, and timing of that notification.
I predict that we’ll see quite a few data breach disclosures at the tail end of this year because of these new rules – and you can expect that there will be quite a media frenzy after a couple of these public disclosures. That said, I wouldn’t expect to see any real positive changes to health care cyber-security until late next year. There are many cogs to the health-care machine and it’s going to take some time before they’re all moving in unison.
There’s more to the story though. One thing I’ve noticed before in this particular vertical is their prevalence to being subject to malware attacks. I think this is more due to the breath of information systems and their connectivity than any single design flaw. Because so many people, providers, hospitals and third-parties access the PHI pool of data, it’s easy for it to become contaminated. The problem though is that malware is probably the least of their problem.
Professionally developed bot agents are an increasingly tough adversary to counter within HIPPA-covered entities. As the value of common PII (e.g. credit card details and address information) continues to drop as they become commodities to cyber-criminals, Private Health Information (PHI) represents a richer data set and comes with a higher salable value.
The net result is that the health care industry is (already) prime fodder for bot masters and their organized cyber-crime compatriots. However, unlike the nuisance malware outbreaks of Christmas past, botnet infections are in fact data breaches. Once a bot agent gets installed, it establishes a connection with the cyber-criminals command-and-control (think of this in terms of a private VPN between the cyber-criminal and the health care providers network – complete with administrative credentials) – which is going to result in a mandated public disclosure for the provider.
Like I said, get ready for a lot of data breach reports – with a lot of them driven by the discovery of botnets operating within the HIPPA-covered entities.
– Gunter Ollmann, VP Research