Guest Column | March 8, 2019

How To Build The Right Healthcare IT Security Stack

By Hoala Greevy, Paubox


Cybersecurity is critical for all businesses, but it’s a particularly pressing matter in healthcare because of the significant regulations surrounding protected health information. The "2019 HIMSS Cybersecurity Survey" found that 74 percent of surveyed health information security professionals reported a “significant security event” in the past 12 months.

Of course, IT security stacks are nothing new to businesses. But because healthcare organizations must follow regulations protecting PHI, administering them becomes more complex.

The challenge is further complicated by the widespread use of legacy systems, such as on-premise servers commonly used by larger and older healthcare organizations. Generally, off-site cloud-based servers are preferred because risks are lessened when there are no on-premise servers to manage. More healthcare facilities are adopting that approach, but many still haven't made the transition to the cloud.

Insider threats are one of the most common threat vectors to any organization, so it's important that your IT security stack addresses this issue effectively. Finally, if a breach occurs, you need the tech in place to be able to quickly find it and then mitigate any damage.

For all these reasons, building and maintaining an IT security stack that can keep up with the changes in cybersecurity and healthcare regulations remains a challenge. It's tough to know where to begin.

4 Principles For Implementing Modern Healthcare Cybersecurity

Let’s take a look at some principles that every healthcare facility should implement to begin to enact modern, robust security that aligns with PHI regulations.

1. Understand the frameworks you need to follow.

HIPAA regulations often follow what are known as “NIST controls.” This is a voluntary framework for managing cybercrime risk that includes standards, guidelines, and best practices. Third-party certifications, such as HITRUST, can help you make sure your policies, procedures, and security stack are meeting necessary controls. Without this step, you might miss key best practices.

2. Be comprehensive.

Always keep in mind that regulations and NIST controls are often lagging indicators, somewhat behind today’s most active threats. A full assessment of the biggest risks to your organization needs to be conducted on a regular basis, as the threat landscape is always evolving.

This can be done by looking at your breach history for the most attempted attacks, as well as the ones that are successful. Or if you don't have enough data yet about attempts on your systems, you can usually find industry reports that point out the most common threat vectors. Once you understand the threats, you can make sure the IT security stack you implement addresses them.

3. Select vendors that "play nice" with your systems.

Today’s vendors know that they need to provide solutions that are easy for healthcare facility teams to work with. For that reason, many vendors now provide an application programming interface, which allows their solutions to be able to "talk" with other programs and applications using API calls. This makes it much easier for the IT team to integrate security solutions within its operations without having to write its own interface computer code, which can introduce critical bugs that compromise security.

Despite its obvious value, some vendors still don't provide an API. Ask vendors about this important feature. Also, be sure the solutions you choose are adaptable and can be built with many options. You don’t want to be constrained to systems that only work with products from a single vendor. This helps mitigate risks and won't lock you into a platform that might not develop as quickly as you need.

4. Prioritize monitoring data flow.

Data is what hackers are after. Set up a system that allows your security team to monitor and control the flow of data. Make sure it's not only the data within your organization, but also any data that comes in and goes out.

This needs to be comprehensive. It can’t just be about faxes and emails. It also needs to include API calls between applications and data that gets stored in the cloud. Good security applications should be able to monitor any threats, such as phishing emails or distributed denial of service attacks, which can shut down your online presence. You also need to ascertain whether any key data is leaving without proper authorization, an approach called “data loss prevention.”

Cybersecurity is not optional for healthcare organizations. Hacking can shut down your services or compromise patient data overnight. Fortunately, vendors are now providing comprehensive software solutions that can protect your facilities without the huge initial overhead of building your own software systems in-house. By choosing a solution that integrates easily with your existing architecture and has the capability to grow as new threats emerge, you can stay one step ahead of hackers.

About The Author

Hoala Greevy is the founder and CEO of Paubox, the only HITRUST CSF-certified seamless secure email solution. Paubox’s end-to-end email encryption works on any device without requiring additional apps, plug-ins, or logins. A serial entrepreneur, Hoala also founded Pau Spam, an email-filtering software service. An avid kayak fisher, Hoala holds the world record for the largest caught finescale triggerfish.