Systemic non-compliance: the root cause of pain for healthcare organizations

Tommy Abraham jpg

Tommy Abraham

Senior Director of Healthcare Assurance, Coalfire

Blog Images 2022 Healthcare tech tile

Recently, I was fortunate enough to experience the joys of becoming a father as my wife and I welcomed our first child into the world. It was one of the most beautiful experiences of my life and I’m grateful for the advances we have made in modern medicine and technology. I mention this personal anecdote to provide context for what I witnessed about the data security challenges that have existed for years in the healthcare industry and are still pervasive today.

Healthcare organizations have faced information security challenges for as long as I can remember. And there’s no other industry that associates such dire consequences to the loss of the availability and integrity of sensitive data while at the same time mandating that confidentiality is paramount for federal compliance. It can be a matter of life and death if a healthcare provider can’t access critical data, and it’s even more concerning if that data isn’t accurate. Additionally, unauthorized disclosure of data can lead to punitive damages in the form of civil and criminal penalties that may put an organization out of business. Quite the conundrum, in my opinion.

I’ll use my recent hospital experience to underscore that the challenges in the healthcare industry that persist today remain the fundamental issues that have faced the healthcare industry for decades. Watching the number of individuals who accessed my wife’s electronic protected health information (ePHI) during our hospital stay was dizzying. To see nurses and doctors jumping between written charts and the electronic health record (EHR) to access data needed to identify potential health risks or concerns reminded me of the conundrum. I played out the scenarios and consequences of not just human error in the interpretation of the data, but the integrity of the source information that was preserved digitally in the EHR.

So many of the discussions I have with clients revolve around developing compliance programs that address regulatory risk. When you look at the Office for Civil Rights’ (OCR) recent enforcement penalty announcements, the causes of breaches and data compromise have largely been attributed to systemic non-compliance at a governance level. Common vulnerabilities at healthcare organizations are associated with the use of disruptive technology, and the lack of protocols and processes that keep those technologies protected. Couple that with the organization’s need to innovate without allowing time for the critical step of embedding security in the development phase, and you have a recipe for exploitation.

When the root cause of elevated risk isn’t appropriately addressed with the necessary compensating controls and governance, it typically leads to data compromise. One timely example is ransomware, which has heavily manifested itself with healthcare organizations where data availability and timing can mean the difference between life and death. Ransomware seeks out sensitive information and encrypts the source data, so an organization or individual does not have access to that information for patient care. The threat actor then asks the organization or individual to pay for their data to be unencrypted.

Organizations have responded by incorporating replication of data as a failover in the event their production environment is compromised. This tactic can be an effective compensating control, but it doesn’t address the root cause of the vulnerability. One solution is to develop a defense strategy around HIPAA Implementation Specification 164.308(a)(5)(ii)(B): Protection from Malicious Software. This compliance obligation states that individuals should be trained on the procedures developed by an organization to guard against, detect, and report malicious software. This is a defense-in-depth strategy that needs to be critically developed and documented with a risk-based approach. Organizations that are not focused on their compliance obligations coupled with a risk-based approach are potentially not displaying “due care” and could be viewed as negligent within the HIPAA Security Rule.

This example of non-compliance also gives threat actors an opportunity to take control of the information for a different purpose – unauthorized disclosure of ePHI. Unauthorized disclosure of ePHI is in direct violation of the confidentiality expectation mandated by HIPAA. The consequences of unauthorized disclosure could result in brand reputation damage and corrective action plans that may cost an organization millions of dollars in the long run.

This scenario raises some important questions:

  • Why don’t healthcare organizations take more of a risk-based approach to protecting assets?
  • Why do organizations focus on the protectionary measures in place from a controls-based perspective and not from the data-centric approach of appropriate data classification and protection?
  • Why aren’t organizations looking at data as their primary asset?

It isn’t that organizations consciously want to practice negligence, it’s more that they don’t understand the consequences of looking at HIPAA as a control-based framework instead of a federally mandated law and obligation around the protection of the data itself, based on risk.

As previously mentioned, organizations that suffer the consequences of non-compliance with the HIPAA Privacy and Security Rules are included in the publicly announced breaches on the OCR breach portal. Each was found to be non-compliant in areas that map back to the design and execution of governance, or in my opinion, systemic non-compliance in how they created, received, maintained, or transmitted PHI. Several of the breaches were attributed to non-compliance with the HIPAA Security Rule. Thirteen of the published corrective action plans, defined in the 2020 resolution agreements on the U.S. Department of Health & Human Services’ (HHS) website, reference non-compliance with the following:

  • Not conducting an accurate and thorough risk analysis on how ePHI was being protected.
  • Ineffective design and implementation of an appropriate risk management program to address weakness found in governance.
  • Ineffective design and execution of appropriate business associate agreements to manage external relationships with business partners and vendors that receive ePHI.
  • Not defining appropriate privacy and security training and awareness material around the safeguarding of ePHI.
  • Not deploying encryption sufficiently on devices that contain ePHI.
  • Not providing patients with the ability to access their data within a reasonable period.
  • Not applying appropriate sanctions to employees that violate policy and procedures around protection of ePHI.

These findings highlight the importance of developing and building a governance posture that effectively manages the identified risks to an organization’s most valuable commodity, its data. The specific violations show the systemic non-compliance that must be addressed for the healthcare industry to provide patients with the confidence that their ePHI is protected.

I can confidently say that protecting ePHI took on a whole new meaning for me the moment I filled out my child’s name on the official birth documentation. That was the creation of a new set of ePHI to protect that has become the most important data in my life.

Note: 2020 resolution agreements on the U.S. Department of Health & Human Services (HHS) website reference: