Skip to content Skip to navigation

Compliance Does Not Equal Security

February 25, 2014
| Reprints

Within the last month, several notable healthcare security surveys and reports were released.  As usual, they showed improvement in some areas, but generally that healthcare continues to lag in its embrace of good sound security and compliance.  

Most of these surveys are self selected, meaning the organizations that participate volunteer to fill out a questionnaire or be interviewed, as opposed to collecting empirical data and analyzing what it tell us.  Well, not so fast – it looks like someone finally did that, and it was conducted as part of the SANS Analyst Program that publishes threat research. The eye-opening report titled, “Health Care Cyberthreat Report: Widespread Compromise Detected, Compliance Nightmare on Horizon,” provides a sobering look into the state of data security in healthcare.  

What is important though, as I mentioned earlier, is that this research was conducted using the Norse threat intelligence infrastructure – a global network of sensors and honeypots that process and analyze over 100 terabytes of traffic daily – or to put it in layman’s terms, an incredible amount of information that was collected without the organizations ability to filter it.  So, this report unlike many of the surveys published each year provides real intelligence on what is happening in our healthcare information technology ecosystem.  If you have not seen this report I recommend you get a copy and share it with others in your institution.

The conclusions of this report are in some ways startling, but in others reinforce what we already knew – the majority of the risk to patient information resides with providers; third party relationships increase our risks; and the majority of the issues we have are related to poor administrative security practices and not necessarily highly sophisticated attacks.  But what is really eye opening in the report is the sheer volume of vulnerability that was detected.  Add to this the corollaries that healthcare still lags behind other industries in its IT security spending, still suffers from a lack of qualified personnel running its security programs in many institutions and continues to focus on compliance instead of securing systems and data, and you have a recipe for significant breach activity.  Add to that the increasing costs of security incidents and breaches as reported in this year’s annual study by the Ponemon Institute and the financial impacts of these events can have a staggering effect on healthcare.

One of the issues I hear regularly around the country is IT and security struggle with being able to translate the need for security to business objectives, and as a result fall short of getting priority for their initiatives.  These studies and reports when taken together provide objective supporting material for building that business case.  One major breach costing millions of dollars can sideline a clinical initiative and repeated breaches can negatively impact an organization’s professional reputation or worse, potentially put patients at risk.  Taken together this body of information provides peer review of challenges with security, provides evidence of a real and demonstrable threat, and outlines the potential costs of incidents using real data.  More than 90 percent of healthcare operations and practices are computerized, an equal percentage of patient information is digitized and we share data with countless others everyday.  Networks, computers and data are all critical assets in healthcare.  Our security controls need to be adequate to protect them.  

We need to change our culture in healthcare.  Information assurance should be the priority and compliance the by-product of doing things right.  The SANS report as it states near the end should serve as a wakeup call.  That won’t happen unless security practitioners get it in front of executives and use it to support their message.