Healthcare
Healthcare is a data-rich industry sector and as such has some extensive security regulations to adhere to. The main body of regulations used within this sector is the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
HIPAA
HIPAA was introduced in 1996 and the HIPAA Privacy Rule covers the security of Personal Health Information (PHI). PHI is has a very wide scope. It includes all personal information, such as name address and so on, but it also includes medical records and even DNA. HIPAA specifically regulates how PHI is handled, i.e. used and disclosed. It is meant, however, to get the balance between security and usability of PHI right; it is important to keep health data flowing and available for improved health care. The Privacy Rule covers health plans, healthcare providers, and health care clearinghouses. Importantly, it also covers ‘business associates’. This means that the extended ecosystem of third-party vendors used by health care also needs to be HIPAA compliant. Essentially any healthcare CIO is responsible for ensuring that third-party vendors take due care of any PHI that comes under their remit.
HITECH
HITECH was introduced in 2009 as a way of encouraging the use of Electronic Health Records (EHR). HITECH is a separate law to HIPAA but they work in symbiosis. HITECH, for example, has set fines for non-compliance of HIPAA security regulations.
The HIPAA Omnibus rule, introduced in 2013, strengthens the main security requirements of HIPAA and sets the expectations of the breach notification rule to cover any breach of over 500 individuals. The breach must be reported to the U.S. Department of Health and Social Services, and the details made publicly accessible.
Statistics:
|
Frequency |
655 incidents, 472 with confirmed data disclosure |
|
Top Patterns |
Ransomware, Miscellaneous Errors, Basic Web Application Attacks and System Intrusion represent 86% of breaches |
|
Threat Actors |
External (61%), Internal (39%) (breaches) |
|
Actor Motives |
Financial (91%), Fun (5%), Espionage (4%), Grudge (1%) (breaches) |
|
Data Compromised |
Personal (66%), Medical (55%), Credentials (32%), Other (20%), (breaches) |
