First published at

HHS says Security and Compliance Require Actions, then Policies

by Mike Semel, President, Semel Consulting

The common-sense, scalable, and actionable cybersecurity guidance recently released by the US Department of Health and Human Services (HHS) lays out concrete steps healthcare organizations should take to secure their data. The voluntary recommended practices are broken into separate volumes for small organizations and medium/large organizations and are linked to the NIST Cyber Security Framework (CSF) which is recommended for all businesses.

This guidance looks at top threats against healthcare organizations, including phishing e-mails, ransomware, loss/theft of devices or data, insider threats, and connected medical devices. Cybersecurity practices to prevent each are clearly defined and broken down into understandable steps.

The very LAST step is Policies, which most organizations want to do FIRST. When I was the Chief Information Officer for a hospital it took months to create policies and get them approved by management and the board. Compliance officers, administrators, and attorneys love working on policies, but doing policies first wastes time and energy focused on wording, revisions, bureaucracy and politics. Meanwhile, data sits unprotected.

Worse, having HIPAA policies does not mean you are following them. Based on hundreds of HIPAA assessments I have led, organizations too often relax because they have written policies while their actual IT practices violate them every day, putting patient data at high risk.

Why? Because the administrators have told me that they assume if it is policy, then everyone just follows it. Or they are told the HIPAA policies are being followed. Or they don’t bother to internally audit compliance with their policies. Or they lack the tools to provide accurate evidence of compliance.

Usually it is all the above.

We have evaluated hundreds of organizations that have approved HIPAA password policies requiring password changes. Our findings, 99.9% of the time, identified people with passwords set to never expire. Sometimes the EHR system forces password changes, but users don’t have to change their network login which gives them access to Protected Health Information (PHI) in local files.

Even though termination policies prohibited former workforce members from being able to access the network, we found enabled users – many with passwords set to never expire – with access years after they have left the organization. Some were former vendors that missed getting removed because they weren’t terminated through HR.

We see policies that require security patches and updates to be applied to computers and servers; policies requiring anti-virus protection on all computers; policies requiring data to be stored on secure servers instead of local computers; and encryption policies.

Yet we almost always find that systems are unprotected, with data in places where it isn’t encrypted, isn’t backed up, and isn’t physically secured against theft.  This is in spite of a book of policies that says each of these shouldn’t happen. Executives are shocked that we show them that unprotected PHI is all over the place.

Even after organizations address the issues we identified during their assessments, we see some of the same problems reoccur within a year or two.

The HHS guidance consists of four documents:

The first three documents include step-by-step procedures that should be implemented to secure data. The last document, Resources and Templates, includes sample policy templates and incident reporting forms.

Right where they belong. Last.