Internet threats continue to evolve and healthcare industry is clearly a target. In fact, stolen credit cards are now only yielding between ten cents ($0.10) to one dollar ($1) on the black market. Medical records though, are fetching between $25 – $300. Clearly an obvious difference if you are in the market of stealing.
Electronic protected health information (ePHI) is an especially attractive target across healthcare environments. This data contains more detailed personal information that can be used for multiple purposes including insurance fraud and identity theft, and due to insufficient fraud alert systems, it can be used for a longer duration with very little chance of being detected.
The healthcare industry has become target #1 and for clear reasons. Back in June, the U.S. Department of Health and Human Services commented that “U.S. healthcare organizations are severely flawed when it comes to cybersecurity and lags other sectors in safeguarding systems and sensitive information”. “Healthcare cybersecurity is in critical condition”.
With this in mind, it is critical for healthcare organizations to have IT objectives that will ensure the protection of ePHI. In order to achieve an adequate level of protection, it is critical that the following objectives are met:
• Build a secure infrastructure and know where your sensitive data resides.
• Secure medical end points, as more and more devices are becoming network connected.
• Implement consistent security standards and processes across the enterprise.
• Make security easy for end-users; healthcare providers typically don’t want to be burdened with productivity-bogging security practices that distract from core responsibilities.
Meeting these objective can also create a number of challenges:
• Compliance: It is easy to underestimate compliance scope because there is such a broad selection of devices, processes and systems. It is critical for organizations to understand their environment and processes and to have a full understanding of how they generate/receive ePHI, as well as how the data is shared within the organization and with third parties.
• Insufficient risk assessments: Conducting inadequate risk assessments is far too common. A proper risk assessment is at the very heart of the HIPAA security rule. Without fully understanding and documenting risks and threats for managing ePHI, decision makers will not be able to justify and select proper security controls to mitigate risks and threats. This process also needs to be ongoing, as organizations and the threat landscape as a whole are both in constant flux.
• Compliance before security: Compliance is simply reporting on how a security program meets a set of requirements. Using compliance requirements, especially given that HIPAA is not very prescriptive; to drive a security program will leave organizations significantly short when it comes to protecting sensitive data. Instead, a good security program should be based on industry best practices and a thorough assessment of the risks and threats faced.
• Third-party providers: It is difficult enough to build and manage a security program internally, and most healthcare organizations rely on third parties to operate. It is vital to understand and manage third-party risk as part of overall comprehensive security strategy. There must be a robust vendor management program in place to evaluate the security posture of third parties. This program should include a clear, documented matrix of responsibility for services, a process for verifying security controls the vendor has in place, as well as requesting and reviewing copies of any third-party certifications they hold.
• Compliance overlap: Most healthcare organizations accept credit card payments for their services, which means they are subject to PCI (Payment Card Industry) regulations, in addition HIPAA. Responsibility for these various regulations is typically divided among different departments and handled independently. However, there are many overlapping requirements that need to be managed. The key is to develop a security program that addresses all of the risks and threats and meets the various requirements specific to regulations. This will ensure there is no duplication of controls or efforts and results in a more efficient security and compliance programs.
• Ongoing compliance and security: Many organizations treat security controls as a one-time setup, but these are not “set it and forget it” systems. They may spend a few weeks preparing for an audit and then allow a lapse until the next one comes around. This is what the threat actors are waiting for, and when the guard is down, they will attack. To be prepared, security and compliance programs should be treated as ongoing endeavors with constant vigilance in their management.
While time-consuming with significant investments involved, robust risk assessments combined with ongoing security monitoring and compliance programs serve as the foundation for protecting sensitive data and ultimately, preserving an organization’s reputation. These efforts should be a top-down organizational priority from the C-suite to the clinical environment, to the data center.
ChannelSOC provides MSP security services to our partners, monitoring the network for anomalous activity, ensuring that you’re continuously upholding your compliance requirements with solutions that are always-on and proactively protecting you and your clients from cyber threats.