Healthcare data continues to be some of the most valuable and highly sought after resources that attackers are targeting. Patient’s private health records fetch higher prices than the stolen credit card on the dark web. The loss of sensitive information due to unauthorized access to databases through malicious software or loopholes in a network is of grave concern for enterprises. Unfortunately, the most relied upon security tools such as antivirus software and firewalls deployed for the protection of an IT infrastructure are not enough to prevent these breaches.
For healthcare organizations, segmentation, relentless vulnerability management, and proactive monitoring and blocking will be vital to creating a secure environment. Working with experts to ensure some fundamentals like making sure your device configurations are kept updated, sensitive data is segregated and firewalled, users are educated on how to spot phishing attempts, and mobile devices are protected with strong encryption, are all critical components in efforts to keep your environment secure.
With the wave of highly publicized cyberattacks on healthcare, the challenges of data security and compliance have only multiplied. You will continue to see healthcare organizations, and service providers that handle electronic protected health information, not only focusing on maintaining patient privacy and data security, but complying with HIPAA and numerous State laws and industry regulations. With mandatory breach reporting and increasing OCR audit activity, the odds of having to defend the organization’s security controls to a government regulator continue to go up.
To combat this, you may see more organizations taking advantage of the HITRUST CSF to assist in meeting these challenges, as it is rapidly gaining acceptance in the healthcare security ecosystem. While obtaining HITRUST certification is a complex undertaking, the rewards can be large, enabling organizations to address regulatory requirements and business challenges. HITRUST and similar frameworks also provide a great platform on which to build your organization’s risk assessment.
A risk assessment (as part of a broader risk management program) should be a foundational component of every healthcare organization’s security program. Understanding where actual risks exist helps the business “right-size” the security controls and technologies being applied to protect data. Many organizations jump immediately to technology solutions to solve their perceived security problems without a thorough understanding of where sensitive data resides, with whom it’s shared, and how it may already be protected. Among other things, a risk assessment seeks to ask and answer the questions, “what can go wrong?” and “how are we protecting against those threats?”
Key areas to consider for your risk assessment
- Medical devices
- Access to Cloud-based clinical systems
- Mobile and portable device encryption & tracking
- 3rd Party Vendors / Business Partners
- Monitoring systems for intrusions and malware
- Patching of systems and scanning for vulnerabilities
- Responding to security incidents
As an industry, healthcare is slowly maturing from a security perspective, but there is still much work to be done to ensure we are doing the right things to protect sensitive and protected data
If you are a health-care organization or a service provider that handles electronic protected health information, download a free HITRUST guide to learn more.
Knowing your risks is critical. Determining those risks can be time-consuming and difficult to manage with traditional tools. BALLAST’s IT security risk assessment tool improves the process, moving you quickly through the assessment phase to tracking remediation and managing risks. Learn more about our Ballast Software.