Why Did My HIPAA Compliant Cloud Solution Just Get Hacked?

February 10th, 2021

It’s easy to understand why the U.S. Department of Health and Human Services (HHS) enforces requirements for Health Insurance Portability and Accountability Act (HIPAA)-compliant cloud solutions. According to HIPAA Journal, healthcare organizations reported 3,705 data breaches to the HHS Office for Civil Rights between 2009 and 2020. In total, 268,189,693 healthcare records have been lost, stolen or disclosed without authorization. Furthermore, the number of healthcare data breaches has been increasing since 2015. That year, there were 270 reported breaches; in 2020, there were 642.

The security and privacy of healthcare records can directly impact patient outcomes, but a data breach can also have a big impact on healthcare organizations themselves. Penalties can rise to millions of dollars for systematic noncompliance or when violations go unaddressed for long periods.

The Rise of the HIPAA-Compliant Cloud Solution

Before HIPAA became law in 1996, there weren’t standards across the healthcare industry to protect health information. Also, regulations hadn’t caught up with new technologies healthcare providers were using more often to file and pay insurance claims, share patient information with collaborative teams, and manage healthcare facilities’ administrative tasks.

Cloud solutions and services providers responded to the demand with “HIPAA-compliant solutions,” making sure that their offerings met the technical requirements detailed in HIPAA’s  Privacy Rule and Security Rule.

Unfortunately, one scenario has played out over and over again as healthcare organizations deployed compliant solutions. It starts with a healthcare provider carefully vetting options, for example, for HIPAA-compliant QuickBooks hosting, cloud storage, or backup and disaster recovery. The healthcare organization does its due diligence to confirm the cloud solution provider has a highly trained staff and is transparent about its compliance audit history, and the provider signs a business associate agreement (BAA). Technically, the healthcare organization has found the perfect solution.

The healthcare organization turns over the information about the solution to its insurance provider and a HIPAA compliance auditor, checks the box next to “compliant solution,” and turns its attention to other things.

Then, the Data Breach

In this hypothetical, the next part of the story is the healthcare provider’s shock when hackers gain access to the system – as well as patient and insurance data. After all, wasn’t the HIPAA-compliant cloud solution supposed to be secure?

And therein lies the crux of the matter: compliance is not security. Many organizations learn the hard way that technology in perfect compliance with HIPAA, PCI, Soc 2, ITAR, or other regulations, doesn’t inherently eliminate security threats. Compliance & Security must be used in tandem as part of a comprehensive cybersecurity strategy. If a healthcare organization doesn’t properly train its employees on security best practices and enforce its security policies in a trust-and-confirm way to ensure employees are doing what they’re supposed to do, they’ll still be vulnerable to data loss and security breaches. No matter how many compliance boxes you’ve checked, no solution is secure if employees fall for a phishing attempt to give out login credentials or copy data from the system and share it in an email.

Healthcare organizations must also conduct risk assessments of factors beyond human error, such as threats to stored and archived records, how third-party providers use technology within their organizations, securing medical devices and Internet of Things (IoT) systems. They must also determine how they’ll respond to minimize damage if hackers or malware get into their systems.

Compliance’s True Purpose

Using a HIPAA-compliant solution is no guarantee that it – or your healthcare organization’s network as a whole – is secure. It’s possible to be compliant on paper but vulnerable to attack in practice. That box you check next to deploying a HIPAA-compliant cloud solution isn’t enough to protect your organization. Only a comprehensive plan that addresses all risks can.

Proving your organization is HIPAA compliant is necessary to be able to operate, but the most secure healthcare providers understand that it’s more than checking boxes and dealing with red tape. The real effort of complying with HIPAA Privacy and Security Rules means your organizations has begun to adopt industry best practices for keeping data safe. Deploying HIPAA-compliant cloud solutions are a part of that plan – but not the whole plan. Create a total strategy that will keep your patients’ and your organization’s data safe.

Leave a Reply

Let's Talk