From hurricanes to hackers, there's a lot that can go wrong with your data. If a major storm takes out power to a cloud provider's sole computer center, a hospital's entire cloud-based system could go offline, hamstringing doctors indefinitely. Should a hacker decide to hit a data warehouse, the integrity of an entire healthcare network's IT could be compromised.
With so much riding on unfettered and highly secure access to healthcare data of every kind – from prescription information to scheduling to payroll – keeping that data ironclad is more important than ever.
Kurt Hagerman, compliance director for Dallas-based cloud firm FireHost, talks about six key points that should be second nature to anybody concerned with securing their data from natural disasters or malicious cyber marauders.
1. Demand redundancy. Many people see an attractive solution in the cloud these days. But if the cloud should fail, hospitals are high and dry. Redundancy is something that clients should seriously consider, says Hagerman. "If you are going to work with a vendor who is providing cloud services, it's great if they have the newest mousetrap from a technology perspective," he says. "But who's backing them up, from a hosting perspective?" Hagerman advises looking for hosts with tier four data centers, which have the highest level of redundancy.
Redundancy is a word that gets thrown around a lot, but make sure a provider really means what they say, he adds. "Tier one doesn't have a lot of redundancy in terms of electricity or air conditioning." A tier four system does more than just back data up: "All the power is going to come from two separate power systems," says Hagerman. "They might even have two separate battery backup systems. When you get to tier four, all the cooling equipment is dual-powered, and everything is fully redundant. They might even locate their centers where they can sit on two different [power] grids."
2. Adopt HITRUST standards. "HIPAA doesn't actually provide much prospective information on what you're required to do" with regard to data security, says Hagerman. Hospitals that want to stay on the cutting edge should look into HITRUST, an organization that was founded a few years ago to help hospitals "understand what their HIPAA responsibilites are."
Borrowing heavily on standards such as PCI DSS, which was established within the credit card industry, HITRUST has been adopted by many large healthcare systems, and relies on accredited third party auditors to provide high quality assessments of a hospital's information security. HITRUST has "harmonized controls from PCIDSS and state control laws," says Hagerman, describing its standard as having "taken the best from all of the other published controls."
Because there is no official Health and Human Services Office of Civil Rights (OCR) standard for IT security yet, and because it would be costly to retool a system that didn't conform to a government-mandated rule set, how worthwhile of an investment is it to buy into an independent standard? Hagerman thinks that an OCR accreditation and one from HITRUST would be pretty similar. "Anybody who goes through the HITRUST process, although it's not OCR-recognized, will find themselves in very good shape," he says.
3. Have a simple security policy, and keep employees trained. "Employees don't mind being held accountable when they know what they're being held accountable for and what they're being held accountable to," says Hagerman. No matter how many layers of security a hospital's IT system can have, no matter how many backup generators and failsafes they have in place, it comes down to employee adherence to policy to keep things running smoothly.
Without a comprehensive and easily understandable security policy that is kept up to date, hospitals will find themselves falling behind. Hagerman says that a policy will fail if it's pulled straight from a template and is too long to be remembered. He gives the example of a healthcare system using seven layers of document classification being a poor implementation of policy. "I can't even remember seven layers. What's the difference between confidential and private? When people can't remember a standard, guess what? They don't follow it."
Regular training along with a simple and clear policy can keep organizations from running afoul, though. Hagerman says that the costs of such trainings are low and that the return on investment is high. Staying on top of the training game ensures that a hospital won't have to sweat too much about employee noncompliance. Hagerman says that hospitals with mature security policies "are well ahead of the game from a risk management perspective."
4. Put a business continuity plan in place. Instead of just having a plan for how to respond to a disaster, Hagerman argues that hospitals should focus on how to keep their operations up and running "in case of various and sundry things that might come up." Knowing and identifying all of the important elements of a hospital's IT, understanding how it functions, and having redundancies and backups in place to keep the system functioning regardless is a key element in staying operational, no matter what.
"A lot of what we've put in place is designed to keep us in operation regardless," says Hagerman. "I've found that companies that address those issues suffer fewer problems. They've already engineered and planned their way around [problems], so when they happen, it really isn't a big deal."
5. Treat security as a full-time job. With the variety of cloud systems and IT infrastructure available on the marketplace now, just who is responsible for what? Hagerman says that while a vendor may handle certain aspects of keeping data safe and systems online, that doesn't let a hospital fully off the hook. "You need to clearly understand what you are responsible for and what your vendor is responsible for. Have mechanisms in place for monitoring things."
Hagerman says one of the biggest ways to achieve this is to "understand what you're buying" with regards to what services vendors offer, how to make sure they're holding up their end of the deal, and what the client still needs to be responsible for on their own. One tool to help is the Cloud Security Alliance, a new organization that is trying to make cloud services and what they offer transparent in the marketplace, so that prospective clients can make better-informed decisions.
On the local end, Hagerman stresses that "security is a full-time job. Customers who try to only focus on it during on an audit, it never really works. It does show." From developing, training employees on and implementing security procedures, auditing third party vendors, and maintaining onsite technologies, skipping out on security details only comes back to bite organizations in the long run.
6. Embrace mobile, but be cautious. "The whole mobile thing is here to stay. BYOD is here to stay," says Hagerman, who notes that a hospital in a major city may have privileges in more than one city. "I'm not going to carry around three iPhones," issued by each hospital, he insists. The strength of mobile devices' flexibility and ubiquity also makes them potentially red-hot from a security perspective. Luckily the healthcare industry has pushed for better advances in mobile device management (MDM).
Mobile devices are getting easier and more secure, so long as certain steps are taken, says Hagerman. "Have a good access management program. Authenticate doctors. Use MDM to be able to either require that data access is locked down ... or make more of the apps available through secure browsers."
Further advances, such as apps storing information in secure spaces on the device that can be individually wiped, and basing more applications in restricted Web-only formats, help address many potential security concerns posed by mobile technology, he adds.