Health Data Management asked three health information technology security professionals—attorney Howard Burde of Howard Burde Health Law, Tom Walsh of tw-Security, and David Holtzman of CynergisTek—the following question: What is the single most important thing a healthcare organization should do, but isn’t doing, to lower their risk of being hacked?
Here are their answers:
The most important thing that every healthcare organization should do to lower the risk of hacking is engage in an annual (or more frequent) risk assessment. In addition to being a part of HIPAA compliance, the assessment is the only rational method of determining an organization’s vulnerabilities.
Implementing technologies, procedures and security rules can be done without an assessment, but such implementation cannot be done effectively without an assessment. Moreover, the risk assessment should be performed by third-party consultants whose charge should include a thorough review of all aspects of the IT environment, including access to networks, rules on information sharing, removal of mobile devices, downloading of apps, establishing passwords, use of non-organizational devices (BYOD), training and compliance, and of course, common sense.
The reason for engaging a third-party security expert, and not use internal or external privacy counsel, is that the external expert will not be invested in the existing environment. Such an assessment should also consider the remediation side. If an event occurs, you should consider how it would be remediated.
Use remediation as a guide to identifying potential exposures. The remediation approach also raises an emerging issue: are remediation efforts effective for healthcare data breaches? If not, what should organizations do to both protect on the front end and fix problems on the back end? Hacking attempts are inevitable. Hacks are not.
In my professional opinion, patch management is the single most important thing any organization can do to lower their risks of hacking. Hackers are looking for ways to “get inside” an organization. They most often do this by exploiting known vulnerabilities. The challenges to effective patch management faced by healthcare IT departments include:
* The volume of patches and the wide variety of applications and operating systems in use in a typical healthcare environment. Which patches apply? Healthcare organizations must have a process for vetting patches and software updates. Most organizations have to rely on their vendors for that because of a lack of resources in their IT department. Also, some healthcare vendors are slow at releasing patches to their customers due to extensive testing before releasing. In many cases, a vendor may not want the organization to apply a patch because applying a patch could cause operational problems with their software.
* In a typical hospital, there are departmental systems (Radiology, Lab, Pharmacy, etc.) that are not managed or controlled by the IT department. Who is responsible for patch management on those systems?
* A successful patch management relies on two other IT disciplines where healthcare organizations are typically weak:
- Configuration management – An accurate inventory of applications, operating systems and hardware so that when a patch is released the organization knows exactly what applications and systems need updating.
- Change management – While change control of their certified electronic health or medical record is typically good, in my 15+ years of healthcare consulting, I have found only a few IT organizations that did a good job of change management for their infrastructure. Applying patches to the infrastructure (firewall, servers, workstations, etc.) seldom goes through a formal change control and change management process.
Remember: Applying patches or software updates are temporary fixes, not the long term solution.
There is no one single approach that will prevent your health system’s information system from being hacked. Health systems must do a better job of protecting the enterprise, hardening their systems, enhancing detection capabilities of networks, testing application environments and increasing the education of its workforce.
To meet these challenges healthcare organizations should conduct regular baseline risk assessments to identify weak areas in their program and develop a work plan to address them.
Work to implement a security program around the National Institute of Standards and Technology (NIST) Healthcare Cyber Security Framework or another recognized framework to cover all the areas that are important. Review options to improve detection capabilities by enhancing audit and monitoring activities with automated processes.
Look to improve defenses against hacking and malware with more current technologies that don’t rely solely on antiquated signature-based approaches. Address encryption priorities and ways to control mobile devices and the data they access. Adopt control structures and technologies that make it more difficult for hackers and malicious insiders to export sensitive information reducing the risk of breach.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access