Increasing Security Defenses in Cost
Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments Regulatory and Risk Background When the Health Insurance Portability and Accountability Act Security Standard (HIPAA) was finalized in 2003, it set forth administrative, physical, and technical safeguard requirements for healthcare to control the confidentiality, integrity, and availability of patient health data. However, the enforcement of the standard was weak. No funding was placed towards a policing body and the HIPAA security standard was quickly deemed “toothless”—meaning there was little repercussion for non-compliance. In addition, many key parts of the standard were designated as “addressable” instead of required. This meant that healthcare organizations had to perform a risk analysis, determine if they needed to implement the addressable parts of the standard, and simply document their decision. Due to the need to control the costs of healthcare, in addition to a much more rudimentary threat landscape than the one faced today, many addressable safeguards were deemed unnecessary. Enter the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act, passed in 2009, was set to further the cause of HIPAA by providing incentives to healthcare organizations for adopting meaningful use of electronic health records (EHR) and also strengthen HIPAA privacy and security mandates. In addition to requiring proof of specific security measures to gain financial incentives for the government from demonstrating meaningful use of EHRs, the HITECH Act also made the formerly “toothless” HIPAA teethe. First, it put into the place the first nationwide data breach disclosure law—specifically for health information that had been omitted from the majority of state data breach disclosure laws. Second, it designated and funded the Office of Civil Rights (OCR) within the Department of Health and Human Services as the policing body for HIPAA privacy and security. Finally, it gave state attorney generals the right to sue healthcare organizations for HIPAA security and privacy violations. The changes the HITECH Act instituted and their impacts have made effective and diligent risk management towards the security of health records an important, and for most, a page 1 new initiative for healthcare organizations. Since the HITECH Act, fines and sanctions for data breaches in combination with law suits, are driving healthcare organizations towards implementing stronger security programs. However, while the financial incentives provided by the government for meaningful use help, cost-sensitive healthcare IT departments are still struggling with determining the appropriate resources required to implement appropriate risk management. In the past, security has often taken a “block and tackle” approach. While the tenets of defense in depth have been recognized as important, the pressure to manage the cost of care has limited the funding that healthcare has allotted for security technology and the staff required to manage it. But today, the damages of non-compliance can be more financially devastating. With the majority of fines, sanctions, and corrective actions issued by the OCR culminating in the need to effectively manage risk, it is imperative that healthcare organizations find economical methods of doing so. This paper is intended to provide clarity around this difficult challenge and guidance around cost-effective measures to managing risk to patient health data in light of the evolving threat landscape and heightened regulatory environment surrounding healthcare data security. Address “No Brainer” Gaps - Mobile and Removable Media Many breaches of patient health data could have been easily prevented if healthcare organizations had invested in basic preventative measures regarding mobile devices and removable media. The HITECH Act provides safe harbor if data is encrypted—meaning that if patient health data is stolen or lost but is encrypted using strong encryption and secure key management practices—it is not considered a breach. Investing money in encrypting laptops and other mobile devices that can be easily lost will go a long way towards effective risk management. If a laptop with patient data gets lost, the fine is far greater than the investment in basic encryption. page 2 For removable media—particularly USB devices whose loss and theft have created data breaches resulting in six- and seven-figure fines—an organization has the choice of whether to encrypt or block. USB access should only be allowed in healthcare environments if there is a pressing and legitimate reason to use them. Organizations digging into the issue typically realize that there is not a business need and use economical USB blocking technology to block access to USB ports. To ensure unstructured health information can be available to those with a “need to know” requirement, while also remaining secure and in compliance with the HIPAA Security Standard, a secure file sharing solution with strong access controls can be inexpensively implemented. Maintain Secure Network and Firewall Configurations Additional data breaches in healthcare have occurred due to lack of governance and maintenance of secure firewall and network configurations. With limited IT staff, it’s essential to ensure that network administrators have the necessary tools to clearly understand security gaps, quickly remediate them, and implement security and audit functionality with the ability to view compliance across the network. Determine Preventative and Detective Controls Addressing bare minimum security measures, such as firewall, IPS, endpoint security, laptop encryption, and removable media security is a standard practice. However, when organizations begin to prioritize budgets, estimates, and efforts to implement additional preventative controls, it quickly becomes apparent that hard choices will have to be made due to lack of resources. To effectively manage risk for tightly resourced security departments, implementing a strong monitoring program goes a long way towards effectively managing risk. A monitoring program, typically implemented through security information and event management (SIEM), can help fill gaps in preventative controls and also ensure that allowed access is governed. An effective SIEM implementation can be used to monitor access, detect needed changes in access controls, monitor data security, and identify external breaches. In addition, some SIEM solutions go further—offering remediation capability at the endpoint, network, and access control page 3 systems—toward providing an intelligent, active security center that can be easily tuned to identify and correct security issues as they happen. To get the most out of a SIEM implementation, organizations should carefully evaluate where they can block unacceptable activity and where they can’t. Tuning the SIEM to scrutinize activity that has greater risk due to a lack of preventative security can serve as a compensating control while the organization waits for budget for stronger security measures. How SolarWinds® Can Help SolarWinds has long been recognized as the value leader for network and systems management tools and technology. Today, SolarWinds offers a host of security and compliance solutions with low cost, easy-to-use, and powerful feature sets designed specifically to help tightly-resourced security and IT departments manage risk and govern compliance. Our leading SIEM, secure file sharing, firewall management, and network configuration management solutions have helped hundreds of healthcare organizations get essential security and compliance management capabilities while maintaining excellent low-cost patient care. To find out more about these SolarWinds solutions visit www.solarwinds.com page 4
© Copyright 2024