5 key steps for improving a provider’s security posture
If you’re a small healthcare IT operation, a simple spreadsheet might do the trick. If you’re larger, a not-so-simple spreadsheet might be in order.
Regardless of how you do it, hospitals, clinics and other healthcare organizations must identify and monitor every single instance of computer network access. They’re called endpoints, says Larry Ponemon, founder of the security consulting firm the Ponemon Institute, and for you they exist as vulnerabilities. Your job is to eliminate them through a series of basic security-promoting tasks.
Your IT security staff may have conducted such work in the past related to HIPAA. However, “in the past” is definitely not recent enough for a provider’s robust security program in the hyper-changing technology world, especially if the work was incomplete or conducted more than a year ago. In too many hospitals, security protections have been a one-shot effort conducted years ago with little follow-up. Your hospital may need to undertake the following actions from a blank slate perspective in order to combat today’s sophisticated threats.
Identify every device on the network
We’re not talking about just desktops and laptops. Think more broadly and identify everything that has a network connection—organizations need to identify tablets, mobile phones, IoT devices and anything else that could link into a network. You may have also permitted network access for clinicians and staff using their own devices, so take the time to identify those users as well.
Update your software
After figuring out how many networked devices you have, make sure the security applications on each, which includes operating systems, are up to date.
“One of the main reasons hospitals have become ground zero for ransomware attacks is that almost every modern medical device is now a computer,” writes Phillip Hallam-Baker, vice president and principal scientist for cybersecurity firm Comodo. “It is not uncommon to find a multi-million dollar device such as an MRI machine running Windows XP Embedded, an operating system version that was last updated when it was retired in 2011.”
Hallam-Baker adds that defeating malware, particularly ransomware, requires a three-pronged approach:
• Scan inbound email for infected attachments and links to malware sites that automatically download to your computer.
• Block access to malware sites.
• Run anti-virus software on every computer in use.
Spread the security gospel
Now, it’s time for social engineering. According to respondents in a Ponemon Institute study on networks and cybercrime, 81 percent feel the greatest threat to security is negligent and careless employees who don’t follow established policies and practices. This issue has been complicated in recent years by threats from insecure mobile devices. Train every employee in proper security practices, and reinforce them frequently.
Secure the patient portal
At some point, turn your attention to the patient portal you installed to meet Meaningful Use. Keith Fricke, the principal consultant at tw-Security, wants you to know that it could create vulnerabilities. Imagine, for example, hostile code that lives on a popular website and downloads to a patient’s home computer. Later, visits by that patient to an insecure hospital patient portal might provide a hacker with access to numerous patient records and the opportunity to pass along a virus, hitting your organization with a double whammy.
Cover your business associate bases
In recent years, according to Ponemon, business associates (BAs) have endured even more data security incidents than healthcare providers. A major reason is that HIPAA-required BA agreements, once signed, tend to sit on the shelves of all parties. Your partners, including IT vendors, may feel much less urgency about patient data security than you do. Make sure their lack of urgency does not impact your security by taking these steps:
• Evaluate your entire list of vendors and similar partners to determine which have access to protected health information (PHI). Perhaps some BA agreements were never signed, which puts your organization at great risk.
• Review all of your BA agreement files. Those dated prior to 2013 are obsolete, which adds to your hospital’s security vulnerability. The 2013 Omnibus HIPAA regulations are much stricter with business associates than the original HIPAA security rules, so it is critical to your security program that all BA partners sign an updated agreement.
• Insist on compliance with the newer rules as a condition of your continued relationship. Double check your BA’s level of security and ask to see its most recent security risk assessment, one of its many obligations under HIPAA.
Taking these actions will greatly improve your organization’s security position and give you much, if not all, the information you need to perform your own HIPAA-required security risk assessment.
Many organizations are ill-prepared for the growing onslaught of security incidents, not because they don’t care, but because of inadequate funding and security expertise. High expenditures for recent initiatives such as Meaningful Use and ICD-10 implementation have not helped. Moving forward, senior management must view data security as a cost of doing business, just as it is with financial services and retail. You will have to spend money on security regularly to make it work. As technologies change and security risks increase, a sustainable security program must include regular updates and different and/or additional spending.