fundamental security

Forgotten Fundamentals Brought Down Pipeline

Today the CEO of Colonial Pipeline explained to Congress why he decided to pay $4.4 million in ransom to the cyber criminals who took down a pipeline supplying 45% of the East Coast’s fuel. He also explained that the attack succeeded because of an oversight in their cybersecurity defenses.

Successful achievers would never skip the fundamentals to save time, or for convenience. Tennis players, chefs, doctors and musicians study and practice the fundamentals every day until they become second nature. Cybersecurity is no different. By their own admission, Colonial Pipeline’s ransomware attack happened because fundamental security safeguards were ignored. In healthcare, a HIPAA Risk Analysis would have uncovered a similar oversight.

While news this week also revealed that the Justice Department was able to retrieve about half of the ransom Colonial Pipeline paid, the costs of the attack went way beyond the ransom. The investigation costs, pipeline downtime, business interruption, legal expenses, PR consulting costs and market disruptions all added up. All were preventable.

Seizure of the ransom proceeds is good news but shouldn’t give false hope that cybersecurity concerns are lessening. Read a statement from FBI Deputy Director Paul M. Abbate about seizure of the ransom proceeds here.

According to a security investigator who looked at the Colonial Pipeline incident, criminals exploited a compromised password published on the Dark Web to gain access to an old virtual private network (VPN) of Colonial that was active but seldom used. And access to the VPN did not require multi-factor authentication, so two levels of defense were compromised. The attack was easy.

HIPAA Security Rule Fundamentals

HIPAA Security Rule safeguards would have prevented the Colonial hack.

The Security Rule requires covered entities and business associates to implement security measures consisting of appropriate Administrative, Physical and Technical Safeguards to ensure the confidentiality, integrity, and security protected health information (PHI).

The Security Rule checklist contains all the questions needed to uncover gaps and risks in cyber defense. There is no wrong answer, because every answer guides next steps on getting more secure.

HIPAA Risk Analysis Goes Beyond Software and Hardware

The place to start is Risk Analysis – an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by your organization. However, a common security risk analysis error is to focus too heavily on software and hardware security controls. A thorough Risk Analysis must review compliance with all Security Rule standards and implementation specifications. For example, flawed password management, a Security Rule administrative safeguard, played a key role in the Colonial hack.

Security awareness and training, authorization and supervision of workforce members and periodic technical and non-technical evaluations to determine effectiveness of the organization’s HIPAA policies and procedures are essential administrative safeguards that must be assessed. Your workforce is your first line of cyber defense and untrained or poorly supervised employees are your weakest link.

Risk Management is Ongoing

After the Risk Analysis if finished, the Risk Management Plan takes over. HIPAA compliance and protecting your organization is an ongoing process. Basically it boils down to the following:

  • Follow fundamentals, like access controls, password management and multi-factor authentication
  • Address risks specific to your organization
  • Train workforce to follow security policies and procedures
  • Be alert for Phishing and Spear Phishing
  • Update and patch systems
  • Dispose of unused or legacy systems
  • Document and follow your HIPAA compliance plan

If you follow the fundamentals and stay with it all year round, HIPAA compliance becomes second nature. You can prevent the unthinkable and avoid paying criminals or losing patients’ trust.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU