Dark Devices Undermine HIPAA Compliance and How to Regain Visibility

By: Kevin Golas | 10/31/2017

Data breaches in healthcare continue to be a growing issue. Healthcare organizations, often large and distributed, are encumbered by legacy systems, inadequate security budgets and an increasing threat landscape that complicates an already complex system. Faced with these challenges, it is increasingly important that healthcare organizations make the most of existing security investments and that new investments can prove their worth.

Forrester’s Chris Sherman recently talked about the pitfalls of adding more depth to the security stack without adequate visibility, a scenario which often fails to have a noticeable improvement on security. Greater visibility into the health and efficacy of security layers not only strengthens security posture, it’s a key element of compliance with the Health Insurance Portability and Accountability Act (HIPAA).

The Burden of Proof for HIPAA Compliance

Many organizations assume that deploying security technologies to the endpoint ensures that they are compliant with HIPAA requirements, when in reality there are unseen cracks in security leading to ‘dark’ endpoints. Thanks to our persistent oversight of over a billion endpoint devices, we know that nearly 20% of endpoints are ‘dark,’ lacking critical applications to manage risk and compliance. We have found that nearly 10% of endpoints do not contain the required encryption solutions and a further 5% do not ‘report in’ for security and compliance tracking.

Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.

It is for this reason that the Department of Health and Human Services (HHS) requires covered entities to specify “technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. Under HIPAA regulations, organizations must choose an encryption method consistent with NIST guidelines. It falls to healthcare organizations to supply proof of encryption or proof of destruction of electronic PHI in order to avoid breach notification.

So, the question remains: how do you maintain 100% compliance when you can’t see an average of 20% of your endpoints? How do you validate your data security at the exact moment of an incident? Your dark endpoints are a breeding ground for data breaches, placing your organization at risk for regulatory penalties, negative brand and reputational impact and the high cost of attempting to prove compliance.

Mitigate Patient Healthcare Data Breaches and Fines with Uncompromised Visibility and Cybersecurity Automation

Absolute gives you the only self-healing endpoint security solution designed to meet the high standards of healthcare providers and meet the stringent audit requirements of HIPAA compliance. Absolute's cloud-based platform puts healthcare IT and security professionals in total command of devices, data and applications - whether on or off the network - to enhance IT asset management, protect sensitive data, reduce insider threats, and ensure compliance.

With Application Persistence, you can now extend our self-healing capability to be a force multiplier for your entire security stack, from encryption to malware protection, providing the always-on, always-there visibility you need to prove compliance. Our healthcare solution includes the support of certified Healthcare Information Security and Privacy Practitioners (HCISPP) and ASIS-Certified Protection Professionals (CPP) on the Absolute Investigations team to help you identify when, and if, a breach notification should occur.

With Absolute’s Compliance solutions, you can audit your security readiness in just a few clicks. Get started here.

Financial Services