Post by, Moshe Ben Simon, VP of Services and Research
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as United States Public Law 104-191, brings significant and complex compliance requirements to U.S. regulated healthcare organizations that are covered under the legislation. Generally speaking, these regulated entities include health-care providers, health plans, and health-care clearinghouses, along with many of the vendors that support them in handling, storing, and processing electronic personal health information (ePHI).
HIPAA focuses in part on ensuring the confidentiality of patient data (ePHI) by requiring covered entities to take steps in the areas of administration, privacy, physical security, and electronic security. These required steps become more challenging in the face of the current escalation in cyber attacks. The cyber security threat not only jeopardizes the secure handling and protection of patients’ ePHI data, but also increases the risk to well-intentioned health-care providers that run afoul of the regulation.
Financial penalties for HIPAA compliance failure can be significant. The goal is to hold covered entities accountable for their actions and help ensure that they take steps required under HIPAA to protect the privacy and confidentiality of healthcare information. In 2016 alone, a quick review of the public resolution agreements (settlements between HHS OCR and a specific covered entity) reveals many millions of dollars in fines levied against healthcare organizations.
In our newly released position paper, “Deception Technology and HIPAA Compliance,” TrapX provides an overview as to how deception technology can help meet compliance requirements, reduce risk, and, most important, reduce the likelihood of successful attacks. This benefits both patients and covered entities. We share our view of specific sections of HIPAA and address how deception technology can meet compliance needs in a comprehensive manner.
Deception technology enables new best practices that, in turn, enable you to build out more comprehensive and effective cyber defenses. Traditionally, cyber defense has focused on keeping attackers out by defending the endpoints and perimeter. However, in today’s health-care environment, this strategy must change. Health-care organizations must assume that attackers will penetrate their networks regularly. They will get in.
Deception technology enables you to answer key questions such as, “How will we know when cyber attackers have penetrated our networks? How will we detect them rapidly and understand their intentions? How will we terminate attacks rapidly and return to normal operations?” Your HIPAA risk assessment, coupled with new best practices and deception technology, can now address these scenarios much more effectively. Attackers will penetrate your networks, but now you can have a viable strategy to minimize or eliminate their ability to breach your ePHI data and impact ongoing operations.
Deception technology also addresses the current rapid escalation in the use of ransomware. Ransomware is the newest and most visible type of attack vector to threaten hospitals globally. Recently, in the U.K., ransomware attacks against several hospitals forced them to suspend ongoing operations, including patient procedures and surgeries. Without powerful new cyber-defense technologies, healthcare care providers have limited choices in meeting the ransomware threat proactively.
HHS OCR has clarified its position on ransomware: you must address ransomware threats in your risk assessment; you must have contingency plans to address it; and, unless you can prove otherwise, you must assume that any data that has been encrypted during a ransomware attack has also been breached. This raises the bar on risk, reporting, and the overall probability of a reportable breach.
Deception technology changes the playing field and provides new alternatives in meeting and defeating the ransomware threat. You can stop ransomware threats in real time before data can be accessed and breached.
The core of TrapX’s strategy to meet increased threats and strengthen HIPAA compliance and management is our flagship DeceptionGrid™ product. DeceptionGrid can help identify, remediate, and reduce risk to ongoing health care operations and ePHI data due to wide-ranging attack types, including those on medical devices (medical device hijack or medjack).
DeceptionGrid provides emulations for a variety of medical devices, deployed as Traps on the network to attract and identify attackers. TrapX systems can also identify attacker communications traffic when it is hidden, and use “backdoors” within existing medical-device assets. One touch or look (a ping against the IP address) at our Traps identifies them at high probability as they attempt to move laterally through healthcare networks in search of ePHI data targeted for theft.
DeceptionGrid also brings specific ransomware protection, identifying, delaying, and stopping ransomware attacks before they can damage health care data critically and disrupt operations. DeceptionGrid surrounds real data with a virtual barrage of fake SMB data shares. Once a ransomware attacker begins encrypting the fake data shares, they are identified conclusively. We delay attackers with our fake data shares while cyber defense teams observe their behavior, determine the extent of the ongoing attack, and then safely shut it down and resume normal operations.
TrapX Security has the tools to support your HIPAA compliance initiatives. We can help you better assess the risk to your health care environment, and we provide new technologies that can help you manage that risk and reduce it to the lowest levels possible. For more information, please read our new position paper: “Deception Technology and HIPAA Compliance,” and call us to find out more about how we can help increase your HIPAA compliance by improving your cyber defenses.
Click here for full report: White Paper: TrapX Security Guide HIPAA