HIPAA compliance not enough, warns security solutions expert


Regulation alone is not enough to meet today’s escalating threats to healthcare, according to Kurt Long, CEO of security solutions provider FairWarning, speaking at HIMSS’16, a healthcare IT conference.

Long called on care providers to secure and protect their applications that hold the “crown jewels” of their patient information, citing that HIPAA compliance is not enough to protect patient health information and curtail data breaches.

“As the value of protected health information soars for a host of nefarious purposes, there is now a need for the convergence between privacy, compliance and security in healthcare,” said Long. “It is no longer ‘am I simply compliant with HIPAA.’ It’s ‘will my hospital be offline for a week because of a ransomware attack.’”

Information security bad actors are moving faster than ever in attacking healthcare providers in compromising patient information and institutions, he continued.

“For businesses relying strictly on HIPAA compliance and an industry waiting on OCR enforcement of HIPAA, this approach is simply not enough. Care providers need to secure and protect their applications that hold the mother-load of patient information, their Electronic Health Records as well as all the supporting applications.”

Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the technology and threat landscape to healthcare has changed dramatically, he added.

“HIPAA was written for a different time – when these threats didn’t even exist. If you assume because you’re HIPAA compliant it means you’re protected, you’re in trouble.”

He urged organizations to closely monitor what is happening at the application level, including electronic health records and fast growing cloud applications like Salesforce and Office 365. “They must consider every possible attack vector; assume we can be compromised from every vector until we have proven we have not; monitor, analyze and respond in near real-time and coordinate across traditional vendors lines against coordinated external and internal attacks,” he said.

Kurt Long, FairWarning, HIMSS’16, HIPAA, IT, US