During a risk analysis and compliant review, I showed a distraught CEO that she had over $ 5.8 million in regulated data on an unencrypted desktop computer, that wasn’t backed up, with a user password set to never expire. It hit close to home, because the data included the Social Security Numbers of the entire staff, including hers. She asked me, “Why aren’t our people following our policies?!”
Simply put, the organization prioritized compliance policies over validating cybersecurity and assumed- incorrectly – that cybersecurity would automatically follow.
The leadership team thought their written encryption policy meant that all sensitive and regulated data would automatically be stored on encrypted devices. They thought their password policies meant that their IT department automatically set everyone up with passwords set to expire.
They assumed that all sensitive data was automatically protected once their policies focused on Protected Health Information (PHI). Personally Identifiable Information (PII) – the Social Security Numbers, Driver’s License Numbers, and Direct Deposit information for their employees – are protected by state data breach laws but were not listed in any policies because they only focused on HIPAA.
Their cyber-liability insurance policy may not have paid off after a breach of the HR data because their application for insurance said they identified all their security risks and remediated them. How would they have explained the loss of unencrypted data they didn’t even know was on that computer?
You could ask a lot of people if they realize that their Data is Worth More than Gold.
But you can’t ask the Wood Ranch Medical Clinic, The Heritage Company, or PM Consultants, because they all went out of business in 2019 after suffering ransomware attacks.
What is terrible is that each probably believed that it was compliant.
Data is the thread that holds businesses together. Everyone in healthcare organizations, from the CEO down to line-level employees, must take responsibility for data protection. But it doesn’t happen as often as it should, which is why we are seeing more legislation and regulation.
Cybersecurity and compliance are two different things.
Cybersecurity is protecting data against loss, theft, or unauthorized access. Compliance is anything someone else makes you do, and it is a lot more than just HIPAA. Compliance also includes state laws, contracts and data use agreements, licensing requirements, and insurance policies.
Cybersecurity requires you to do the things necessary to secure data. Compliance rules limit your choices. But being secure doesn’t mean you are compliant enough to pass an audit or data breach investigation. Doing the right thing is important, but regulators and lawyers suing you after a breach only care about one thing – written policies, procedures, and evidence. You still need documentation, but it’s best do focus on it after you make yourself secure.
Some compliance requirements are vague, like “You must protect your devices against malicious software,” while others are quite specific, like “You must install security patches and updates within 30 days of their release.” When was the last time you checked to make sure a security patch was installed? The former Equifax CEO wished he had checked, because a missed patch caused their breach and his job.
To be compliant you must backup your data. To be secure against the latest ransomware that also deletes backups, you must have separate offline backups hackers can’t find.
Cybersecurity and compliance combine in HIPAA and state regulations that tell you what you must do – or what you must prevent – to protect your data.
They also combine in your cyber-liability insurance policy, which may not pay off if you aren’t doing what you promised in the application you filled out when buying the policy. Just ask Cottage Health, which paid $ 9.1 million out of its own pocket after its insurance carrier sued because they weren’t securing data consistently with what they claimed in their insurance application.
Ronald Reagan is famous for saying “Trust but Verify.” When it comes to cybersecurity you should just Verify.
Hope isn’t an effective business strategy. When your life is at stake you should always get a second opinion. The best way to find out if you are really secure enough to sleep at night is through a comprehensive security and compliance assessment conducted by an independent expert, not just a HIPAA Security Risk Analysis or a penetration test.
Knowing that cybersecurity isn’t automatic because of your compliance efforts, what will you do tomorrow that you would not have done today?
Mike Semel is a 35-year IT industry veteran; Hospital & K-12 School District Chief Information Officer (CIO); IT solution provider business owner; certified in HIPAA, Compliance, & Business Continuity Planning; nationally-recognized compliance consultant, speaker and HIPAA courseware author.