Increasing Security Defenses
in Cost-Sensitive Healthcare
IT Environments
Regulatory and Risk Background
When the Health Insurance Portability and Accountability Act Security Standard (HIPAA) was
finalized in 2003, it set forth administrative, physical, and technical safeguard requirements
for healthcare to control the confidentiality, integrity, and availability of patient health data.
However, the enforcement of the standard was weak. No funding was placed towards a
policing body and the HIPAA security standard was quickly deemed “toothless”—meaning
there was little repercussion for non-compliance. In addition, many key parts of the
standard were designated as “addressable” instead of required. This meant that healthcare
organizations had to perform a risk analysis, determine if they needed to implement the
addressable parts of the standard, and simply document their decision. Due to the need to
control the costs of healthcare, in addition to a much more rudimentary threat landscape than
the one faced today, many addressable safeguards were deemed unnecessary.
Enter the Health Information Technology for Economic and Clinical Health (HITECH) Act. The
HITECH Act, passed in 2009, was set to further the cause of HIPAA by providing incentives
to healthcare organizations for adopting meaningful use of electronic health records (EHR)
and also strengthen HIPAA privacy and security mandates. In addition to requiring proof of
specific security measures to gain financial incentives for the government from demonstrating
meaningful use of EHRs, the HITECH Act also made the formerly “toothless” HIPAA teethe.
First, it put into the place the first nationwide data breach disclosure law—specifically for
health information that had been omitted from the majority of state data breach disclosure
laws. Second, it designated and funded the Office of Civil Rights (OCR) within the Department
of Health and Human Services as the policing body for HIPAA privacy and security. Finally, it
gave state attorney generals the right to sue healthcare organizations for HIPAA security and
privacy violations.
The changes the HITECH Act instituted and their impacts have made effective and diligent
risk management towards the security of health records an important, and for most, a
page 1
new initiative for healthcare organizations. Since the HITECH Act, fines and sanctions for
data breaches in combination with law suits, are driving healthcare organizations towards
implementing stronger security programs. However, while the financial incentives provided
by the government for meaningful use help, cost-sensitive healthcare IT departments are still
struggling with determining the appropriate resources required to implement appropriate risk
management.
In the past, security has often taken a “block and tackle” approach. While the tenets of
defense in depth have been recognized as important, the pressure to manage the cost of
care has limited the funding that healthcare has allotted for security technology and the staff
required to manage it. But today, the damages of non-compliance can be more financially
devastating. With the majority of fines, sanctions, and corrective actions issued by the
OCR culminating in the need to effectively manage risk, it is imperative that healthcare
organizations find economical methods of doing so.
This paper is intended to provide clarity around this difficult challenge and guidance around
cost-effective measures to managing risk to patient health data in light of the evolving threat
landscape and heightened regulatory environment surrounding healthcare data security.
Address “No Brainer” Gaps - Mobile and Removable Media
Many breaches of patient health data could have been easily prevented if healthcare organizations
had invested in basic preventative measures regarding mobile devices and removable media. The
HITECH Act provides safe harbor if data is encrypted—meaning that if patient health data is stolen
or lost but is encrypted using strong encryption and secure key management practices—it is not
considered a breach. Investing money in encrypting laptops and other mobile devices that can be
easily lost will go a long way towards effective risk management. If a laptop with patient data gets
lost, the fine is far greater than the investment in basic encryption.
page 2
For removable media—particularly USB devices whose loss and theft have created data breaches
resulting in six- and seven-figure fines—an organization has the choice of whether to encrypt or
block. USB access should only be allowed in healthcare environments if there is a pressing and
legitimate reason to use them. Organizations digging into the issue typically realize that there is
not a business need and use economical USB blocking technology to block access to USB ports.
To ensure unstructured health information can be available to those with a “need to know”
requirement, while also remaining secure and in compliance with the HIPAA Security Standard, a
secure file sharing solution with strong access controls can be inexpensively implemented.
Maintain Secure Network and Firewall Configurations
Additional data breaches in healthcare have occurred due to lack of governance and maintenance
of secure firewall and network configurations. With limited IT staff, it’s essential to ensure that
network administrators have the necessary tools to clearly understand security gaps, quickly
remediate them, and implement security and audit functionality with the ability to view compliance
across the network.
Determine Preventative and Detective Controls
Addressing bare minimum security measures, such as firewall, IPS, endpoint security, laptop
encryption, and removable media security is a standard practice. However, when organizations
begin to prioritize budgets, estimates, and efforts to implement additional preventative controls,
it quickly becomes apparent that hard choices will have to be made due to lack of resources.
To effectively manage risk for tightly resourced security departments, implementing a strong
monitoring program goes a long way towards effectively managing risk. A monitoring program,
typically implemented through security information and event management (SIEM), can help fill
gaps in preventative controls and also ensure that allowed access is governed.
An effective SIEM implementation can be used to monitor access, detect needed changes in
access controls, monitor data security, and identify external breaches. In addition, some SIEM
solutions go further—offering remediation capability at the endpoint, network, and access control
page 3
systems—toward providing an intelligent, active security center that can be easily tuned to identify
and correct security issues as they happen.
To get the most out of a SIEM implementation, organizations should carefully evaluate where they
can block unacceptable activity and where they can’t. Tuning the SIEM to scrutinize activity that
has greater risk due to a lack of preventative security can serve as a compensating control while
the organization waits for budget for stronger security measures.
How SolarWinds® Can Help
SolarWinds has long been recognized as the value leader for network and systems
management tools and technology. Today, SolarWinds offers a host of security and compliance
solutions with low cost, easy-to-use, and powerful feature sets designed specifically to
help tightly-resourced security and IT departments manage risk and govern compliance.
Our leading SIEM, secure file sharing, firewall management, and network configuration
management solutions have helped hundreds of healthcare organizations get essential
security and compliance management capabilities while maintaining excellent low-cost patient
care.
To find out more about these SolarWinds solutions visit www.solarwinds.com
page 4