Healthcare IT departments are failing to meet HIPAA network security requirements, according to a recent SANS report.
SANS is the largest and most trusted source of information security training and certification in the world. Its report estimates the number of compromised healthcare systems in the millions.
The report’s subtitle says it all:
“Widespread Compromises Detected; Compliance Nightmare on Horizon”
The report’s data is from the Norse threat intelligence network, a global system of sensors and honeypots that collects data on malicious traffic.
The network recorded malicious traffic coming from healthcare systems for 13 months, tallying:
OK – so healthcare organizations are sending malicious traffic. What’s the big deal?
The HIPAA network security requirements say healthcare organizations must ensure the confidentiality, integrity, and availability of electronic patient data and protect it from threats and hazards.
But if healthcare networks are sending malicious traffic, then they have likely been compromised – which means they are almost certainly out of compliance with HIPAA IT requirements.
Healthcare IT security providers who want more clients should help prospects understand that a network is more than desktops and servers.
A healthcare network includes a litany of devices, many of which are compromised according to the SANS report:
This chart shows the distribution of malicious traffic sources detected inside healthcare networks. Notice that the fourth largest source is “radiology imaging software.”
How many healthcare providers even realize that medical devices and radiology software can be hacked? HIPAA network security requirements suggest these systems should be locked-down.
Healthcare IT providers should help potential clients understand that any device connected to the network can be a route for hackers to break in and steal electronic patient health data.
A jaw-dropping 56% of malicious events from healthcare organizations came from or passed through network edge devices such as firewalls, routers, and VPN systems.
While this may indicate healthcare IT security devices are compromised, a far likelier explanation is the devices are misconfigured or allowing malicious traffic to pass undetected from a compromised source within the network.
Since the Norse threat intelligence system has limited visibility into the healthcare networks, the edge devices were likely shown as the source when they were merely the middleman.
Small organizations of all types, healthcare and otherwise, love to ignore network security. Many think they are too small for hackers or regulators to target.
Healthcare IT service providers can help dispel this myth with this chart:
SANS estimates roughly 33% of the provider organizations caught in the Norse network are small providers, either individual practices or small groups with fewer than 10 providers.
A clear need exists for improved healthcare IT security at small organizations, particularly to meet HIPAA network security requirements.
Small, local doctors can no longer ignore this problem – because hackers are no longer ignoring them.
HIPAA for IT Service Providers: Top 5 questions
HIPAA for IT Providers: The most important rules to know
HIPAA Hazards: Avoid the business associate trap
How AccessEnforcer Fits with HIPAA