The recent ransomware attacks such as Wannacry have highlighted the need for robust security controls in healthcare firms.  These organizations are subject to HIPAA/HITECH compliance requirements, but unfortunately many firms just seem them as a distraction.  This is a big mistake: The controls typically implemented for HIPAA/HITECH shouldn’t be regarded as useless “check the boxes” distractions.  Done right, they go a long way toward true risk management for covered entities.

One of the most problematic security tasks for covered entities is the detection of threats that have evaded perimeter defenses. The wide variety of systems and people on internal networks makes it extremely difficult to keep attackers out of the environment. However, the HIPAA Security Rule requires attack detection and containment capabilities as one of the Administrative Safeguards:

“A covered entity…must….implement policies and procedures to prevent, detect, contain, and correct security violations”.  [HIPAA, 164.308 (a)]

The updated audit protocol issued by Health and Human Services in April 2016 specifically includes auditing of this safeguard as a required element. But even if you’re not worried about being audited, you should be taking a hard look at how you are implementing this control.  A weak detection effort can easily result in a breech that would trigger notification, and a lot of (very unpleasant) scrutiny and second-guessing.

Another valuable aspect of internal threat detection is its relevance for risk assessment. HIPAA provides a degree of latitude with respect to public notification: If you have data that shows the risk of a breech is low, you can avoid notification.  This begs the question: How can you possibly reach such a conclusion if you don’t have robust systems in place to detect internal compromise? 

The Acalvio Advantage for HIPAA Compliance

Acalvio’s ShadowPlex Deception solution is perfectly suited to organizations seeking HIPAA compliance. Since ShadowPlex allows organizations to deploy realistic deceptions at scale and in a cost effective manner, it alleviates the limitations of earlier generation, “Deception 1.0” Solutions.

The solution delivers four key benefits:

  1. Early detection of malicious activity that has penetrated the perimeter, with high fidelity (that is, low false positives)
  2. The ability to inhibit attackers and slow their efforts to compromise critical systems
  3. Intelligence gathering on the attacker (modes of operation, potential data exposure, and spread within the network)
  4. Internal threat intelligence and enhanced visibility of network & system activity

These benefits map to 13 controls in the HIPAA Security Rule, in particular those related to malware detection and inhibition, data protection, and risk assessment.  For a complete list, check out our HIPAA Compliance Whitepaper.

We’ve talked about Acalvio’s Deception 2.0 advantages in previous blogs, but one thing is worth repeating because it’s particularly relevant to healthcare covered entities: Service Reflection.   Credible deception in healthcare is hard because there are so many industry-specific systems on the internal network, and if the deception solution can’t blend in with them, a savvy attacker will spot the ruse.  Service Reflection lets you take a single specialized system or application and clone it into hundreds of decoys, making it easy to create a deception posture that looks credible and stays credible over time.