How one health care provider learned that compliance does not equal security
Which causes business leaders to buy into an IT security assessment quicker: ransomware or a data breach?
Unfortunately, that’s just the situation a regional health care provider network faced a few years ago. Although the IT staff knew a review of the security of the network and file server was overdue, the C-suite remained focused on existing HIPAA compliance guidelines.
That’s when a ransomware attack hit, resulting in a data breach. A user simply clicked on a popup, ransomware was then installed on the machine, and health care records stored on the user’s hard drive were compromised.
After the breach was fixed and the damage assessed, management realized many questions needed answering: Why did this attack happen? What should be IT’s first step in protecting data? What data should be secured? How could the organization balance compliance and security to stop attacks in the future?
A unique business need
In order to understand the organization’s dilemma, it’s important to know its structure. The health care provider network (whom we’ll call HCPN) had multiple branches that serviced different health care arenas, such as behavioral health services and telepsychiatry. As a result, many of HCPN’s doctors and nurses worked in different locations with and without an internet connection. For example, the network provided health services for a number of correctional facilities, and the mobile devices used by doctors and nurses weren’t always connected to the internet during the business day. As a result, many devices didn’t continuously tap into HCPN’s file share and data was usually stored on the local hard drive.
The organization recognized the need for a security assessment before the attack, but every service that leadership and IT examined was either too expensive or not comprehensive enough. It also needed a risk assessment that satisfied HIPAA compliance requirements. The strict requirements delayed both assessments, and there was no easy path forward.
Security and compliance: related, but not the same
While many at HCPN thought compliance equaled security, a risk assessment revealed that those two forces were out of balance. For example, the doctors and nurses working at correctional facilities couldn’t access the network’s file server because the facility’s web filter blocked their data flow. Instead, these employees stored sensitive patient data on the local hard drive, and would later upload those files to the network’s file server. As a result, that data resided in two places; the data on the server met HIPAA standards, but that same information was at risk because it was also stored on an unsecured hard drive.
Zooming out from the security snapshot
Now that the risk assessment confirmed that HCPN was out of HIPAA compliance, a security assessment was needed to determine what problems it was facing. Because the network had many branches of services, IT knew a security assessment of the entire firm would be too costly and complex. Instead, it worked with SHI and DataGravity to examine a total of about four terabytes of data on the file server, portal servers, and 10 random computers. This independent snapshot of a small amount of data would give senior leadership a clear understanding of the deficiencies at hand, and would help establish a security plan for the future.
What did this security picture show? Those four terabytes revealed that the health care provider had thousands of files storing Social Security numbers and credit card data — much of it unsecured — and new sensitive data was being generated every day. Ongoing procedures needed to be established in order to secure data and keep the network in compliance.
Moving on past old security woes
Being reactive is human nature, and security issues are often only addressed when a data breach occurs. For HCPN, an independent security review helped create a roadmap toward better security and compliance. Now, the provider’s employees are better protected from various forms of attack and the data is better locked behind high walls.
After a hard-learned lesson, this regional health care provider understands that while security and compliance go hand-in-hand, they are not the same. IT and senior business leaders now simultaneously prioritize compliance and employee and patient security.
If your organization is overdue for a security assessment, contact your SHI account executive to see what options are available to you.