HIPAA breaches in top 5 security worries
'Many BAs are simply ignoring the requirements.'
Every year, Coalfire, an IT governance, risk and compliance firm, names its top 5 information security and compliance predictions for the new year. And this time around, healthcare data breaches made the cut.
The prediction? Expect a huge increase of data breaches reported come 2014, all thanks to the HIPAA Final Omnibus Rule, which took effect this September and holds business associates accountable for violating certain HIPAA privacy and security rules.
Here's the thing, though, according to the predictions report: Many BAs don't know they're BAs -- and that's problematic.
"Many BAs are simply ignoring the requirements, which will lead to a plethora of data breaches in 2014," Rick Dakin, chief security strategist at Coalfire, wrote.
[See also: Ready or not: HIPAA gets tougher today.]
However, Leon Rodriguez, director at Office for Civil Rights, the HHS division responsible for enforcing HIPAA, said business associates have known for a while this change to HIPAA was coming.
"We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations," he told Healthcare IT News back in August.
Despite this, Ted Kobus, New York-based attorney for BakerHostetler whose expertise focuses on privacy and data breaches, said in reality business associates are very much lagging behind. They're just not as prepared as they should be, said Kobus. "We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions," he explained this fall.
Kobus said between 30 to 70 percent of privacy and security breaches involve a vendor, which gives the government tremendous pressure to also make BAs liable and follow up with enforcement.
The Omnibus Final Rule also expands the definition of business associate to include: health information organizations, e-prescribing gateways, certain PHR providers, patient safety organizations, data transmission service providers with access to PHI and contractors involved with PHI.
Coalfire also made a second prediction very much relevant to healthcare and BYOD.
"There will be a significant increase in malware for Android phones, and malware will begin to affect iPhones too," the report said.
This holds big implications for bring-your-own-device movements at hospitals nationwide, especially seeing that some 80 percent of all Android mobile phones were unprotected from malware, according to an F-Secure report earlier this year.
[See also: 'Ethical hacker' calls BYOD a nightmare.]
"The capabilities of the smartphones far exceed the security of the data used in those devices," Dakin wrote.
Kevin Johnson, a self described "ethical hacker" and chief executive officer at network security firm Secure Ideas, also cautioned against BYOD
in hospitals, specifically for security reasons.
"The security of these devices have been made even worse because of the applications we run on them," he said at the Healthcare IT News Privacy and Security Forum this September.
Let's take an app example, he said, for instance a note-taking application for a nurse. "Where does it store the data? Did it block the permissions down to the data so another app on that phone can't read it?" Many don't.
Coalfire's other three security predictions for 2014 include:
- Expect a big security breach at a cloud service provider. This "new area of concern" should be a "big concern since a single cloud provider may house sensitive information on tens, if not hundreds or thousands of individuals," the report reads.
- Migration from compliance to IT risk management will accelerate.
- Emerging threats will shift security programs from status boundary protection to more practice monitoring and response programs.