Hacker News new | ask | show | jobs
by jtdev 2414 days ago
It seems that hospitals are overly focused on bullshit security frameworks and box-checking, i.e., HITRUST, which in my experience results in many dollars going to consultants with essentially zero tangible improvement in information security. Worse yet, the false sense of security within these hospitals due to having a HITRUST audit report with a bunch of meaninglessness check marks prevents them from actually doing the work of securing information properly. Have worked in health-tech for a number of years.
2 comments
watertom 2414 days ago
Cyber security standards are in place to make the process easier to understand for the non-technical executives, who approve the budgets.

Without the standards the executives don’t know who they should believe, and invariably they believe the guy who sounds and acts like themselves, which means he knows as much about cyber security as the executives.

If you know what you are doing regarding cyber security, AND you are doing all the right things, HITRUST compliance is a cinch.

If you don’t know what you are doing regarding cyber security, HITRUST at least gives you a fighting chance. But then that’s the rub, if you don’t know what you are doing why are you running cyber security.

link
jtdev 2414 days ago
And how does this seemingly absurd exercise make hospital information systems more secure? These non-technical executives are also probably not aware of the intricacies of a knee replacements surgery... and shouldn’t be... these execs should be hiring and trusting skilled practitioners both in the operating room and in the information security dept. NOT injecting their ignorance of these disciplines into the process of ensuring good patient outcomes or security of patient information.
link
lstroud 2414 days ago
I think they are intended to be helpful, but they are adopted as CYA that have the side benefit of improving security.
link
TeMPOraL 2414 days ago
> that have the side benefit of improving security

Sometimes. Other times they have the side effect of worsening security, as line employees have to deal with bullshit "security" rules and invent undocumented, untracked workarounds just to be able to do their jobs at all.

link
tristor 2414 days ago
On the flip side, I’ve long preached that compliance is not security. HITRUST CSF is a huge improvement over the previous state of healthcare IT, because HIPAA is not prescriptive
link
dmix 2414 days ago
The famous critique on HITRUST by a healthcare security guy that went viral, calling it "Cumbersome, Expensive, and Arbitrary":

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-...

link
tristor 2414 days ago
Yep, and yet I’ve been able to successfully implement it in a 1 year project in a prior org (as part of a team obviously). HITRUST isn’t that bad, and it’s better than the alternative, which is HIPAA directly. I would best describe HIPAA as Vague, Fruitless, Bureaucratic, and Arbitrary. HITRUST is a huge improvement even if it’s not perfect.
link
dmix 2414 days ago
Wasnt HIPAA not intended for security or privacy when it was originally developed? Merely as a standardized approach so various vendors could integrate easier. I could be mis-remembering this though.
link
tristor 2414 days ago
Yes, that’s accurate. It is not prescriptive at all, but it does contain broad data security requirements. These are really the only legally mandated security requirements in healthcare. That said, HIPAA is more about establishing a legal and contractual framework for sharing data between providers and insurers and different providers.
link