For the last four to five years, we have been blogging about the importance and details of proper security in your healthcare IT environment. We have been “preaching” the message of diligence and attention to detail as it relates to HIPAA and HITECH. Articles have started to shine a light on the realities of security risk in our healthcare IT environments. This is no longer a HIPAA compliance project where we check a few boxes, update a policy book, do some DVD based training, and expect that we have covered ourselves for the next audit. These risks are real and they can be extremely damaging to an organization if not kept in check. By Phil Stravers, CEO, Partner at ICE Technologies, Inc.
By Phil Stravers, CEO, Partner at ICE Technologies, Inc.
For the last four to five years, we have been blogging about the importance and details of proper security in your healthcare IT environment. We have been “preaching” the message of diligence and attention to detail as it relates to HIPAA and HITECH.
Articles like this one by Modern Healthcare have started to shine a light on the realities of security risk in our healthcare IT environments. This is no longer a HIPAA compliance project where we check a few boxes, update a policy book, do some DVD based training, and expect that we have covered ourselves for the next audit. These risks are real and they can be extremely damaging to an organization if not kept in check.
Recently, I was having a conversation with a local dentist who was lamenting the security demands on his practice after attending a conference and he asked, “Why would anyone want to target a small dentist practice in a small town; am I really at risk or is this just hype?”
I suspect a good share of you have asked this same question about your hospital or clinic? Why would anyone care about me in ABC Town, USA? So, let’s just be clear about something. It is not a matter of if; it is a matter of when you will have your next data breach. I say next because it is very likely you have already had one and just didn’t know it. It’s time we stop hiding behind this “I’m too small, too rural, too remote for anyone to care” notion.
I think it would surprise a lot of people to find out that a health record is worth 10 times that of a credit card record on the black market today and just because you don’t have 100 million records on your system doesn’t stop the hackers from adding your 10,000 records to the other bank of records they are accumulating. Don’t get me wrong, I can’t stand it when the IT Department fancies itself the HIPAA Police and every time a user makes a request they don’t want to fulfill they say “no” in the name of HIPAA. That accomplishes nothing but that isn’t what I’m suggesting here.
There are, however, some practical actions and technologies that should be deployed in your organization today and if you have not become disciplined in these areas, the honest truth is, you really are falling well short of your responsibilities. Many of your board members who might work at the local community bank have been doing these things for years. My top 10 list of security must haves includes:
- Routine staff training – specifically educating on current threats and risks and social engineering counter actions.
- Encrypted Media –If your computer hard drives, thumb drives, backups and various media types are not being encrypted today, you have missed one of the greatest opportunities to avoid penalties for breach and protect your patients’ information. Can your staff insert a thumb drive on one of your computers and copy data? If so, you are completely and unnecessarily at risk.
- Mobile Security – Cell phones are just small computers. You need to treat them the same as the PC or a thumb drive when they access your network. They need to have an anti-virus utility on them, they need to be encrypted and you need to limit applications. If you have a policy banning cell phone access to the network, that doesn’t mean cell phone users aren’t accessing your network. You need to assume they are and take measures to enforce the policy through technology tools. You aren’t absolved because of the policy, so a more direct approach is required. Symantec, MobileIron, and others have a solution for this, but as with any such technology, it must be managed properly or it will become an unwelcome, unwieldy beast.
- Routine Risk Assessments, Security Audits, and Penetration Testing – These types of audits need to be done at least annually. Do you test your fire alarms today? What if the sources of fire were constantly changing? How often would you test your fire safety systems then?
- Intrusion Detection Services – These technologies have existed for quite a while and many of you may even have these systems deployed at your facilities, but if you don’t have a trained eye monitoring them, they are a waste of money. A trained eye reviewing logs/dashboards on a regular interval is much more likely to prevent a breach or policy break before it becomes a major issue.
- Strong Password/Authentication Management – Far too many organizations still share passwords or utilize poor password management disciplines because of temp staffing, limited after hours support or an entire host of reasons. There are tools available to simplify password resets and access methods so that you can successfully enforce strong password management. You need to enforce your appropriate/acceptable use policy explicitly, no exceptions. If you aren’t confident in your appropriate/acceptable use policy, it’s time to have someone who knows the risks and mitigations improve that policy.
- Web/Email Content Filtering and Encryption – Again there are some basic tools available that can do much to protect your users from themselves. The key to these technology deployments however is to implement them in such a way that the technologies do not become significant value and time drains to staff, patients and partners.
- Inventory Interfaces and File Extracts – You should have a risk management and review process in place for all of your interfaces and file extracts and you should never allow data to leave your facility without a formal checkpoint requiring this review. All too often we have seen facilities that are dropping data in buckets when asked to by external vendors without conducting a proper review of the protections of that data. You cannot trust each vendor to do your due diligence for you.
- Proactive Patch Management Discipline – Your IT Department should have a set schedule for patching servers and PCs and should also be monitoring key sites like Microsoft and anti-virus companies for urgent threats. There are tools that can automate the delivery of these patches, but it still takes a person to validate that the patches were indeed applied. It is necessary to stick to strict schedules to avoid the ‘big oops’. This has a side benefit of lowering your overall support costs over time due to the standard it naturally creates.
- Current Service Contracts on all Critical Systems – Far too often agreements are allowed to slide and therefore systems get out of date and become a vulnerability, for recovery in the event of failure or for timely support in the event of a suspected error or breach. Keep your agreements and systems up to date. This too has a side benefit of reduced support costs over time.
There is an entire section of the security vulnerability conversation that I haven’t addressed here and that is the topic of disaster recovery or business continuance. However, that’s a topic in and of itself, so watch for future posts. If you have questions about what you can do to improve any of the above items in your facility, give us a call. We would be glad to help you find practical solutions to this growing challenge.
About the author
Phil Stravers, Partner and CEO of ICE Technologies, Inc. has been consulting in the information technology industry for nearly 25 years and has spent the last 19 years helping community hospitals “make IT work better.” Phil has had the opportunity to act as an Interim CIO for numerous hospitals, which gives him a unique perspective on their challenges and associated solutions. Phil will tell you that he really enjoys sharing lessons learned and, as a result, frequently presents at various hospital associations, HIMSS events, HFMA and even at an occasional church service from time to time. Phil has a passion for baseball (die hard Cubs fan) and has spent more than 10 years coaching young baseball players and believes many of the lessons learned for team development on the field provide great application in the healthcare and IT Operations settings.