Health Care Data Security Generally Sucks: HIPAA & HITECH Act Blog by Jonathan P. Tomes

A recent study by Forescout Technologies, Inc., an internet of things (“IoT”) company in San Jose, California, concluded that the health care industry’s data security is in a sorry state. The study involved 75 global health care entities using more than 1.5 million devices on 10,000 virtual local area networks. The study concluded that the health care industry is overly reliant on legacy software, extensively uses vulnerable protocols, and fails to properly secure medical devices. For the complete report, go to

As to legacy software, the report noted that the majority of the 1.5 million devices were operating on legacy systems and that 75 percent of them had operating systems that were approaching end-of-life, including Windows 7, Windows 2008, and Windows Mobile. As of January 2020, Windows will no longer support these operating systems.

The study also revealed security risks inherent in the rapid deployment of internet of medical things (“IoMT”) devices, such as infusion pumps, patient monitors, tracking tools, and imaging systems, greatly increasing the attack boundaries, and that those surveyed often had not adequately mitigated these increased risks.

Additionally, the study showed that 40% of deployments of these devices used more than 20 different operating systems, that 41% of the platforms used a variety of mobile, network, and embedded infrastructure, and that 34% had more than 100 vendors connected to the network.

This variety of devices and operating systems makes patching an immense task, especially because taking medical devices offline can jeopardize medical care.

The report concludes the following:

“It’s critical for healthcare organization security and risk management leaders to look at securing all devices across the extended enterprise. Solely focusing on securing medical devices rather than securing all device classes can cause significant gaps in your security posture . . . . A holistic approach to security requires continuous visibility and control over the entire connected-device ecosystem—including understanding the role a device visibility and control platform can play in orchestrating actions among heterogeneous security and IT management tools.”

What would the survey have found if you had been included? How secure is your security? Your security in-house? Your security in all of your IoMT? Your legacy system(s) security? Your security in anything else that you may be connected to?

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: or Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts. And we trust that you have had a good Memorial Day weekend honoring those who have given their lives to keep America free.


seo by: k.c. seo