IT security: time to call in reinforcements?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/blog/it-security-time-call-reinforcements

We call it "protected" health information. But the reality is that breaches
of our personal health data are on the rise, some of them breathtaking in
scope.

The Anthem health insurance data breach reported in early February came
right on the heels of the Community Health Systems breach, each exposing
the personal health information of millions of customers.

Early reports linked the Anthem hack to state-sponsored cybercriminals from
China, while according to the most widely discussed post-mortem, CHS was
exploited by the well-known Heartbleed bug via an unprotected Juniper
device. Sources later labeled it a sophisticated attack also linked to
China.

But whether a sophisticated attack or an embarrassing security failure, the
"nemesis" here isn't just the hacker. It's the unrealistic expectation that
healthcare IT departments can perform routine but constant security
vigilance.

Incompatible Directions

The reality is that today's internal IT professionals are pulled into two
incompatible directions, although each is essential to the healthcare
organization's well-being. There's the obvious need for security and
privacy compliance, of course.

But healthcare IT professionals are also an essential component of
healthcare delivery, often tasked with making sure providers have the
critical information needed for patient care. And they're very much
responsible for leading mandated technology initiatives such as EHR
implementation and transitioning to ICD-10.

It's time for healthcare executives to take a hard look at what is being
asked of these professionals. And then pose a question to themselves: In
addition to their daily responsibilities, can IT staff realistically fend
off every attack to the healthcare organization's network…or is it time to
call in reinforcements?

Even with the most experienced security professional on staff, many
organizations lack the tools, defensive systems, monitors, dashboards and
manpower to really know what's going on in their networks at any given
moment. It is also somewhat inexplicable that healthcare has arrived at the
point where every practice is expected to have a well-staffed IT department
able to comply with increasingly complex privacy requirements, from the
unceasing updates to HIPAA, to the Omnibus Rule — which at last count, was
almost 600 pages.

Potential Solution

An infinitely more reasonable solution is to move their data (and the
workload for protecting it) to a cloud services provider with specific
expertise in healthcare. Such a vendor will already have the experts and
redundant security systems in place to protect health data at a much higher
level. To identify such a cloud provider, look for the following:

•   HITRUST-certified to assure data stays protected in accordance with all
the most rigorous federal, state and industry standards. HITRUST controls
were purpose-designed for healthcare information security.

•   Invest more time training their employees in security awareness than
you do.

•   Verifiable and extensive employee background checks.

•   Additional patient data privacy capabilities, such as ability to
de-identify patient-specific information.

•   An exclusive focus on health data management with proven record of
customer successes.

•   Clear familiarity with which agencies have jurisdiction over healthcare
data privacy, and their respective rulings and laws.

•   Can offer risk assessment to identify weak links in security.

•   Can offer the specific services to close security gaps.

Shared Risk

It should be noted that under the HITECH Act's requirements for third
party, "business associates" involved in managing patient data, cloud
services providers actually have a legal obligation to keep patient
information private and secure. Where the strongest provider will clearly
emerge is in the "over and above" aspect of its Business Associates
contracts. Such a provider will assume a majority of the shared risk should
a data breach occur. Needless to say, few providers have the confidence to
take this on, but it's obviously important to find one who does.

Further, the provider will assure constant monitoring of the practice's
entire cloud network infrastructure for any breach attempt. Judging by the
frequently long stretches of time between a breach and its discovery, many
organizations are unable to keep up with this sort of vigilant surveillance
– which includes maintaining a constant watch over which employees enter
the network and when.

In the highly regulated, highly defended environment of a top-tier cloud
services provider, by contrast, all access can be restricted and documented
right down to the user, application, and file, with unauthorized access
attempts immediately detected.

Handing off data security to a cloud provider might initially be a tough
decision for some. But given today's threats, it's one that will ultimately
help more healthcare organizations breathe easier over their IT security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!