HITRUST lacking and failing adoption


Over the last several weeks we have been getting reports of health organizations being breached through our analytic platform. What these health organizations are failing to realize is that in some cases we can tell where leaked data (shared on DarkWeb, forums, traded in hacking forums, posted publicly or otherwise disclosed) originates based on IP address information. We have witnessed no less than 3 healthcare organizations in the previous week in which we could confirm the data being presented and others in the security industry have also looked at the data and validated that it was current (recently acquired) and that it was existing customers of the providers.

What is occurring more often than not is that these providers are adopting technologies such as cloud, Azure, AWS and other platforms which they do not understand the data governance issues or how to secure the information. All three of these entities we have observed are members of HITRUST which leads us to believe that this "standard" of certification is broken when applied in offsite hosted environments. It seems that when the data is stored on the companies own servers that it is mostly adequately secured from theft but when introduced or migrated to cloud environments, a lack of understanding of the security results in theft and loss of customer information.

Even with regulations such as HIPAA, HITECH and HITRUST CSF and part of the plan, breaches are still happening but not being reported as required by law. In many cases we doubt that the covered entities even realize their data has been lost. In some cases development data provides information that allow the exploitation of live data according to a group of hackers in a popular P2P messaging platform.

HITRUST CSF is the most popular framework in the healthcare industry used to secure customer data. Recent reporting from SecurityWeek shows the same type of activity. We believe that the HITRUST model is not sufficient because it does not cover most non IT related elements that are being exploited to gain access to IT resources and it also fails to address other technical attacks that are being overlooked. The MyCSF risk assessment tools are all based on risk detection automation whereas many attack vectors being used are non IT attack vectors.

Until HITRUST get's a full scope coverage implementation design in place we will continue to see HITRUST certified organizations being breached and even worse not reported when this has occurred.

#HITRUST

0 views

Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.