Keith Rabbin is a Senior Security Consultant at Cisco who is passionate about helping organizations minimize the risk they face with the evolving threat landscape. This passion has led him to develop a security-focused assessment based on the Cisco SAFE Framework that helps organizations identify gaps in their security capabilities and develop an action plan to mitigate them.
Recently, Keith pointed out a trend he’s been noticing in healthcare: Harsher penalties for HIPAA violations. Read on to hear what he has to say about avoiding data breaches and their regulatory consequences.
Does a HIPAA Breach now equal jail time?
The statutes for criminal prosecution have been in HIPAA for a very long time, but they have not been put to use very often. Large monetary penalties have made headlines over the years. Now, it appears that criminal convictions are also something to take seriously.
While HIPAA is not the only way for regulatory negligence to lead to a stint behind bars, it is certainly a high profile one. “Hey doc, whatchya in for?” Well, I failed to protect my patient’s data health like I was protecting their physical health.” Seems odd, but this is feasible. Maybe it is time to have another conversation around your risk acceptance policies and how they have driven security controls and adoption.
What to consider, you ask?
Well here are four of the most egregious situations I commonly see:
Lack of segmentation. Combining the medical device network with the enterprise network and not properly segmenting the traffic is common—and risky. It is imperative that medical devices are NOT available on the same network as the general traffic in your facility. This can not only create functional problems for the environment, or a very easy entry point into the network, but absolutely puts patient safety at risk.
Alert manipulation. “It is only in alert mode because I don’t want to affect patient safety and have something critical blocked by a security control.” But if the network is set up properly, this will not happen. It is MUCH more likely that you will not see or respond to the alerts in a timely fashion and it leads to someone being harmed by malware/ransomware running rampant in your environment. So be sure to properly configure your Intrusion Prevention System (notice I DIDN’T say Intrusion Detection System), network security controls, and endpoint security controls.
Failure to analyze. Speaking of alerting (and monitoring), so many organizations just send logs to a log server and never do a thing with them until it is too late. Get a SIEM (security information and event management) or MSSP (managed security service provider) to ingest those logs, aggregate and correlate, apply use cases and give you contextual and meaningful alerts — so you can respond in a timely manner.
Insecure endpoints. It’s simple: anti-virus is not enough to protect your laptops, and subsequently your network, from everything out there. If you let these laptops go out onto unsecured networks and then back onto your network, they’ll be bringing every virus in the world along with them. Put on some endpoint based web-content filtering, DNS (Domain Name System) security, advanced anti-malware tools, and multi-factor authentication. Protect yourselves, protect your network!
Now, these are just the basics. To find out more, bring in someone skilled in assessing your architecture to do a thorough architecture review, a Cisco SAFE workshop or similar. Take the time now to proactively manage your cybersecurity policies to protect the physical and financial health of your patients and your organization.
Thanks Keith for the “uncomfortable conversation” around security. Hopefully, this advice can help someone avoid an unpleasant breach or regulatory surprise.
And hey—while you’re here, read more about Cisco security solutions for healthcare.