Healthcare Data Security Requires Active Monitoring and Management

How to make the leap from “worrying” to “doing”

April 13, 2018 • Published by

Recent healthcare data security statistics paint a clear picture of the need for urgency among CISOs:

As a security consultant, I’ve been in a lot of hospitals, clinics and practices—and I’ve seen a lot of “worry” over the cybersecurity threat landscape. I’d like to see more of this worry translate into action, because it’s just not happening.

Other than worry, what can healthcare institutions and their IT/IS leaders do to protect electronic personal health information (ePHI)? I have been part of three major healthcare breaches and post-breach forensics revealed that two of them could have been limited in scope if they had been actively monitoring and alerting to changes inside their IT networks.

If you aren’t being proactive, you’re falling behind.

No matter how much security awareness training you have, or how often you remind employees, someone will inevitably click the link in that phishing email (launching malware), have their credentials compromised, or both.

Active monitoring and management is the key to staying ahead of cybercrime. This is an ongoing process that involves people and technology…

  • Firewalls: Most organizations have them and are using whitelisting to keep the noise down, but does the organization review the configurations or watch the traffic?
  • Intrusion Detection System (IDS): This usually runs on the firewalls and looks to the perimeter, but is your IDS configured to also point inside the network?
  • Log monitoring and file integrity monitoring (FIM): If you know who your admins are, when they are making changes, and when they are accessing protected data, you will know if something is happening.
  • Risk assessments: Are any of the items listed above even considered in your risks? Do you even do an annual risk assessment?

In addition to the above, you need an Information Security Program with policies that address how the organization works and written processes that are actively managed. The policies and processes should accurately describe the organization as a whole and how ePHI data is being controlled, monitored and stored, as well as how the data traverses the network. This is a biggie, because 80% of the organizations I assess can’t tell me where data is at rest, where data moves through their systems, and how that data is protected!

Cybersecurity best practices aren’t an easy or inexpensive fix. Building an Information Security Program takes resources for people and equipment which means someone must be willing to lead and fight the board for the required manpower and funding. This also requires organizational buy-in from the top down, or it won’t work.

I don’t envy the job healthcare IT executives (CISOs, CIOs, etc.) have. They are supposed to know everything technology and security related about their organizations. They must manage the day-to-day minutiae and have vision to protect the organization of today and be a wizard and peer into the future.

Lastly, they must have the courage required to steer through the maze of politics and crap to get the job done.