Healthcare has remained on the fringes of direct cyber targeting, but the value of health data now places many organizations inline for a cyber catastrophe. Today, a government report found security vulnerabilities in a national health care database that could impact millions of Obamacare patients. The Obama administration acted quickly to resolve the issues. In this case, the organization got lucky and pre-empted an attack as far as they know.
Health data is an easy target because many organizations only have Health Insurance Portability and Accountability Act (HIPAA) to guide them for security. It is painfully obvious that with recent events, the requirements of HIPAA are not sufficient to ensure security of health data. Just like with The Payment Card Industry Data Security Standard (PCI DSS), minimum compliance with HIPAA regulations does not lead to protection of all health data. HIPAA only requires that organizations “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…”
Risk management requires forethought and an understanding of the threat landscape in order to be effective; especially for large organizations. Prior to a couple years ago, there was no credible threat with regards to the theft of health data because large breaches did not occur. However, the threat landscape has changed and there is now demonstrable evidence that healthcare is being directly targeted. Therefore, the measures sufficient to reduce risk and vulnerabilities require increased protection and defense commensurate with the increased threat emerging.