by Kurt Hagerman, CISO, Armor
As the threat landscape continues to evolve in tenacity and volume, healthcare is clearly in the crosshairs. This data is increasingly at risk with the value of one healthcare record reportedly ten times more valuable than a credit card number.
Electronic protected health information (ePHI) is an especially attractive target across healthcare environments. This data contains more detailed personal information that can be used for multiple purposes including insurance fraud and identity theft, and due to insufficient fraud alert systems, it can be used for a longer duration with very little chance of being detected.
With this in mind, it is critical for healthcare organizations to have stringent IT objectives that will ensure the protection of ePHI. In order to achieve an adequate level of protection, it is critical that the following objectives are met:
- Build a secure infrastructure and know where your sensitive data resides.
- Secure medical end points, as more and more devices are becoming network connected.
- Implement consistent security standards and processes across the enterprise.
- Make security easy for end-users; healthcare providers typically don’t want to be burdened with productivity-bogging security practices that distract from core responsibilities.
However, meeting these objectives creates a number of challenges, including:
- Compliance scope: It is easy to underestimate compliance scope because there is such a broad selection of devices, processes and systems. It is critical for organizations to understand their environment and processes and to have a full understanding of how they generate/receive ePHI, as well as how the data is shared within the organization and with third parties.
- Insufficient risk assessments: Conducting inadequate risk assessments is far too common. A proper risk assessment is at the very heart of the HIPAA security rule. Without fully understanding and documenting risks and threats for managing ePHI, decision makers will not be able to justify and select proper security controls to mitigate risks and threats. This process also needs to be ongoing, as organizations and the threat landscape as a whole are both in constant flux.
- Compliance before security: Compliance is simply reporting on how a security program meets a set of requirements. Using compliance requirements, especially given that HIPAA is not very prescriptive, to drive a security program will leave organizations significantly short when it comes to protecting sensitive data. Instead, a good security program should be based on industry best practices and a thorough assessment of the risks and threats faced.
- Third-party providers: It is difficult enough to build and manage a security program internally, and most healthcare organizations rely on third parties to operate. It is vital to understand and manage third-party risk as part of overall comprehensive security strategy. There must be a robust vendor management program in place to evaluate the security posture of third parties. This program should include a clear, documented matrix of responsibility for services, a process for verifying security controls the vendor has in place, as well as requesting and reviewing copies of any third-party certifications they hold.
- Compliance overlap: Most healthcare organizations accept credit card payments for their services, which means they are subject to PCI (Payment Card Industry) regulations, in addition HIPAA. Responsibility for these various regulations is typically divided among different departments and handled independently. However, there are many overlapping requirements that need to be managed. The key is to develop a security program that addresses all of the risks and threats and meets the various requirements specific to regulations. This will ensure there is no duplication of controls or efforts and results in a more efficient security and compliance programs.
- Ongoing compliance and security: Many organizations look at security and compliance as singular events. They may spend a few weeks preparing for an audit and then allow a lapse until the next one comes around. Similarly, they treat security controls as a one-time setup, but these are not “set it and forget it” systems. This is what the threat actors are waiting for, and when the guard is down, they will attack. To be prepared, security and compliance programs should be treated as ongoing endeavors with constant vigilance in their management.
While time-consuming with significant investments involved, robust risk assessments combined with ongoing security and compliance programs serve as the foundation for protecting sensitive data and ultimately, preserving an organization’s reputation. These efforts should be a top-down organizational priority from the C-suite to the clinical environment, to the data center.
Kurt Hagerman is CISO for Armor, a cyber security company that keeps sensitive, regulated data safe and compliant in the cloud. For more information, visit www.armor.com.