Today the CEO of Colonial Pipeline explained to Congress why he decided to pay $4.4 million in ransom to the cyber criminals who took down a pipeline supplying 45% of the East Coast’s fuel. He also explained that the attack succeeded because of an oversight in their cybersecurity defenses.
Successful achievers would never skip the fundamentals to save time, or for convenience. Tennis players, chefs, doctors and musicians study and practice the fundamentals every day until they become second nature. Cybersecurity is no different. By their own admission, Colonial Pipeline’s ransomware attack happened because fundamental security safeguards were ignored. In healthcare, a HIPAA Risk Analysis would have uncovered a similar oversight.
While news this week also revealed that the Justice Department was able to retrieve about half of the ransom Colonial Pipeline paid, the costs of the attack went way beyond the ransom. The investigation costs, pipeline downtime, business interruption, legal expenses, PR consulting costs and market disruptions all added up. All were preventable.
Seizure of the ransom proceeds is good news but shouldn’t give false hope that cybersecurity concerns are lessening. Read a statement from FBI Deputy Director Paul M. Abbate about seizure of the ransom proceeds here.
According to a security investigator who looked at the Colonial Pipeline incident, criminals exploited a compromised password published on the Dark Web to gain access to an old virtual private network (VPN) of Colonial that was active but seldom used. And access to the VPN did not require multi-factor authentication, so two levels of defense were compromised. The attack was easy.
HIPAA Security Rule Fundamentals
HIPAA Security Rule safeguards would have prevented the Colonial hack.
The Security Rule requires covered entities and business associates to implement security measures consisting of appropriate Administrative, Physical and Technical Safeguards to ensure the confidentiality, integrity, and security protected health information (PHI).
The Security Rule checklist contains all the questions needed to uncover gaps and risks in cyber defense. There is no wrong answer, because every answer guides next steps on getting more secure.
HIPAA Risk Analysis Goes Beyond Software and Hardware
The place to start is Risk Analysis – an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by your organization. However, a common security risk analysis error is to focus too heavily on software and hardware security controls. A thorough Risk Analysis must review compliance with all Security Rule standards and implementation specifications. For example, flawed password management, a Security Rule administrative safeguard, played a key role in the Colonial hack.
Security awareness and training, authorization and supervision of workforce members and periodic technical and non-technical evaluations to determine effectiveness of the organization’s HIPAA policies and procedures are essential administrative safeguards that must be assessed. Your workforce is your first line of cyber defense and untrained or poorly supervised employees are your weakest link.
Risk Management is Ongoing
After the Risk Analysis if finished, the Risk Management Plan takes over. HIPAA compliance and protecting your organization is an ongoing process. Basically it boils down to the following:
- Follow fundamentals, like access controls, password management and multi-factor authentication
- Address risks specific to your organization
- Train workforce to follow security policies and procedures
- Be alert for Phishing and Spear Phishing
- Update and patch systems
- Dispose of unused or legacy systems
- Document and follow your HIPAA compliance plan
If you follow the fundamentals and stay with it all year round, HIPAA compliance becomes second nature. You can prevent the unthinkable and avoid paying criminals or losing patients’ trust.