Securing Health Data Means Going Well Beyond HIPAA

A two-decade-old law designed to protect patients’ privacy may be preventing health care organizations from doing more to protect vulnerable health care data from theft or abuse. The Health Insurance Portability and Accountability Act (HIPAA) established strict rules for how health data can be stored and shared. But in making health care providers vigilant about privacy protection, HIPAA may inadvertently distract providers from focusing on something just as important: overall information security.

“Unfortunately I think HIPAA has focused healthcare organizations too much on data privacy and not enough on data integrity, data loss, disrupted operations and patient safety. You can get your identity back at some point, but not your life,” warns Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC). “Many of the attacks we are seeing, such as WannaCry, are disruptive attacks and are not data theft attacks. Organizations should be driven to focus on enterprise risk management and it should come from the Board and CEO level on down.”

“Cybersecurity in Health Care crosses a wide spectrum of issues,” adds Sallie Sweeney, principal cyber solutions architect in the Health and Civilian Solutions Division of systems integrator General Dynamics Information Technology (GDIT). “It’s not just protecting patient data. It includes protecting their financial data and making sure the medical equipment works the way it’s supposed to, when it’s supposed to, without potential for error. Think about the consequences of a Denial of Service attack aimed at the systems monitoring patient vital signs in the ICU. You have to look at the whole picture.”...