Doing the right thing or merely demonstrating compliance with requirements is hard to do when knowledge of expected or necessary requirements is missing or not sufficient. In such a situation, it becomes harder to fault individuals for the resulting missteps or violations. Unfortunately, lack of awareness is a primary issue plaguing security efforts in healthcare.
A recent study conducted by Kaspersky of healthcare organizations in the United States and Canada uncovered some fairly startling figures. Key finds from the study include the following:
- 34% of respondents were not aware of their organization’s cybersecurity policies with that percentage evenly split between respondents saying they should know about such policies if they exist or there is no need for aware
- 17% of respondents thinking that there is no need to be aware of cybersecurity policies should be a major red flag. When it comes to healthcare data, every single individual in an organization has an important role to play with regard to security. Apathy will likely quickly lead to a breach.
- 44% of respondents have not received cybersecurity-related training. If that figure, 25% thought they should have received training and 19% said training was not necessary.
- The portion of respondents that think training is not necessary is another red flag. From the healthcare perspective, every individual employed by a covered entity must be trained since annual training is an obligation imposed by HIPAA. Regardless of whether an individual believes training is needed, it should not be skipped both from a practical and compliance perspective.
- The last area addressed was awareness of IT device protections, which resulted in a relatively positive response rate. The majority of respondents were aware of security measures with the level of awareness varying depending on role.
What do all of the answers mean? That a serious deficiency exists in healthcare when it comes to taking security issues seriously. Despite the constant stream of breach reports and notifications, if individuals do not consider security to be under attack, then appropriate actions to avoid issues will not be taken.
What could be done to better drive home the message? Some may argue for increased enforcement actions by the Office for Civil Rights or attorneys general on the HIPAA front. Those are the two agencies that can bring actions directly under HIPAA. However, the actual number of enforcement actions is vastly dwarfed by the number of incidents. Lack of training has been cited in some settlements, but missing risk analyses are more often identified as areas of fundamental non-compliance. It is possible that the threat of monetary pain could spur greater action. The question though is at what level of an organization would that action occur? A typical rank and file individual within an organization may not perceive the risk of enforcement as something that relates to them, instead of thinking it is an issue that the organization is responsible for. While that perception is likely accurate in terms of who will pay a potential fine, the fine would be the result of inaction or inappropriate action by an individual. From that perspective, the burden is still pushed to the organizations to appropriately inform individuals of the risks and why security awareness is important.
Another means of “enforcement” may be lawsuits based upon state law initiated by those impacted by a security failure. In fact, class actions frequently arise after a large data breach is reported, with such suits now following within days at times. However, the ability for such a suit to succeed is very dependent upon the state law of the location where an incident occurs. a primary gating issue is what form of damages need to be asserted. The question specifically centers upon whether actual damages need to be established or whether potential future harm from the disclosure of information is enough. As already stated, the answer to that question is state-specific. As with government enforcement though, individuals within an organization will not necessarily bear the repercussion of a lawsuit though. Again, the organization will be named and on the hook.
If enforcement is not a clear path, what about changing the culture in an organization? Culture focuses on expectations, self-driving actions, and more to acknowledge responsibility and to proactively work to improve security. Arguably, culture could be a lynchpin for true strides forward in security. If all individuals in an organization support and consider security, then efforts can feed upon themselves and grow beyond the expectations of the initial architects. Further, a culture of security is self-sustaining and will push outward without requiring such concerted and artificial feeling efforts.
There is no doubt that the study from Kaspersky is concerning. However, it can also be a wake-up call and provide the means for a call to action. Wil that call be answered? Hopefully yes.