Healthcare faces a growing breadth and depth of security threats (both intentional and accidental). These 12 steps will help IT leaders prepare for, respond to and perhaps even stay ahead of the latest dangers. Everyone knows healthcare IT security is difficult. Not everyone knows how to make it easier. The recent Privacy & Security Forum, hosted by HIMSS Media and Healthcare IT News, aimed to change that by offering practical steps that healthcare organizations can take to avoid the negligent risks that lead to hacks, breaches, negative publicity and fines. These 12 tips will help HIPAA-covered entities and business associates – be they payers, providers, vendors or subcontractors – react and respond to an evolving threat landscape. Meanwhile, the event’s session on how Boston Children’s Hospital hit back at Anonymous offered organizations a firsthand account of responding to all-too-common attacks and provided some suggestions for trying to get ahead of hackers. Get Your House in OrderImage by ShutterstockHIPAA compliance audits are coming, though the Department of Health and Human Services’ Office for Civil Rights hasn’t said when or how many. Linda Sanches, OCR’s senior advisor for health information privacy, did say the agency will do about 200 “desk audits” as well as “a large number of on-site audits,” adding that HIPAA business associates will be audited in addition to HIPAA covered entities. With timelines in doubt, Sanches says, “This is a good time to get your house in order.” Conduct a risk assessment (more on that later), get to know your business associates, encrypt devices and stay abreast of threats. “You can certainly make [an audit] easier if you’re actually in compliance.”To Be the Best, Hire the Best Image by ShutterstockHealthcare CISOs are hard to come by, in part because of the industry’s longstanding security struggles. The omnipresent internal vs. external talent debate hinges on whether organizations desire business or security acumen, respectively.To look within, John Pritchard, IS director at St. Charles Health System, encourages finding “gems on your team.” Those who show interest in information security get a copy of The Cuckoo’s Egg; if they like it, Pritchard continues the conversation. (Appropriate leadership training can follow.)To look externally, eschew the beaten path. Consider veterans (recommends Heather Roszkowski, CISO of Fletcher Allen Health Care) or college students studying cybersecurity (says Ken Patterson, CISO of Harvard Pilgrim Health Care), as industry experience hasn’t hardened either.Conduct a Security Risk AnalysisImage by ShutterstockMeaningful use stage 1, in conjunction with the HIPAA Security Rule, requires this. Stage 2 adds encryption and data confidentiality – but don’t forget data integrity and availability, says Adam Kehler with Quality Insights of Pennsylvania.Beyond simple compliance (more on that later), consider a security risk audit. Beth Israel Deaconess Medical Center did this following 2013’s Boston Marathon bombings. CIO Dr. John Halamka says this offered lessons in identity management, event logging and monitoring, governance, user awareness training and cloud security (namely, getting providers to sign business associate agreements). Looking at workstreams is key, Halamka says. This includes data ownership, asset management, endpoint security and “enterprise resilience,” or the strength of business continuity and disaster recovery plans.To Manage Risk, Take RisksImage by ThinkstockOn new technology, that is. Jim Routh, CISO of Aetna, takes a portfolio management approach, investing in emerging tech before it’s mature (and, therefore, expensive). His new network intrusion detection tool, for example, cost 4 percent as much as his original tech, leaving more than enough to invest in micro-virtualization and whitelisting tools. Another “risky” investment helps the insurer sniff out rouge apps pretending to be Aetna apps. When evaluating the firms behind emerging products, focus more on tech talent and less on financial results, Routh says. Another perk of new security technology: It covers the so-called SMAC stack – social, mobile, analytics and cloud – better than conventional controls.Compliance Is Only the Beginning Image by ShutterstockCompliance doesn’t foment change, says CynergisTek CEO Mac McMillan. Fines and public embarrassment do. HIPAA, PCI and NIST all articulate security standards, but even collectively they don’t address all aspects of robust risk management. Sean P. Murphy, vice president of Leidos Health, offers an example: You may encrypt data and think you’re done, as you’re now compliant, but the bigger question is whether you need that data in the first place. Fletcher Allen’s Roszkowski puts it succinctly: “I’m not going to wait until somebody tells me to do something if I think it’s the right thing to do.”[ Analysis: Healthcare Organizations Still Too Lax on Security ]Don’t Rush Into BYOD Image by ShutterstockFor healthcare, BYOD presents several operational challenges, from cameras to prohibited devices to application layer access. As in other industries, users as opposed to IT departments drive this movement, seeing a potential to improve productivity. Michael Boyd, CISO at Providence Health & Services, sets this baseline: If the device or the data on it can’t be encrypted, then it can’t connect to the network. Don’t chase devices, McMillan says. You’ll catch the ones you know but miss the ones you don’t know. Instead, control data: “If data’s never on the perimeter, you don’t have to worry about the perimeter.” When in doubt, examine the risk profile: What safeguards do you need, and where must you draw the line?Take Vendor Selection Seriously Image by ThinkstockGet IT and clinical representation on your buying team; both departments have different needs and considerations. Ask employees if they like the process of buying a car, says Steven Fox, principal at Post & Schell; if not, don’t put them on the team. IT executives should offer advice but not make the final decision, he adds. That way, the team can go back to them, privately, during negotiation.Before signing a contract, hammer out software licensing (on-site vs. SaaS), acceptance testing, warranties, confidentiality, limitations of liability and dispute resolution. Don’t let vendors use de-identified patient data for any purpose unless they truly understand HIPAA compliance, recommends Daniel Schroeder, partner-in-charge of information assurance services at Habif, Arogeti & Wynne.Beware the Enemy WithinImage by ThinkstockFBI Special Agent Carmine Nigro lists pending layoffs, job dissatisfaction and the resale value of medical data among an insider’s motivation to improperly access sensitive information. (Panelists cite employees, medical students, business associates and contractors – remember the Target breach? – as insiders.) The “see something, say something” policing mantra works well here. Look for anyone encrypting emails sent to private accounts or trying to access remote networks after termination or contract expiration. Laptop encryption is a must, says Anahi Santiago, CISO at Einstein Healthcare Network, as it prevent accidental as well as intentional data theft. To deter snooping into records, Santiago recommends the “public flogging” of anyone who’s caught, adding, “Everyone knows we’re looking.”Beware Latent Risk Image by Thinkstock“Hidden pitfalls” pervade healthcare organizations, says Fernando Martinez, senior vice president and CIO of Parkland Health & Hospital System. Nearly everything poses a latent risk, he suggests: Cloud storage (access rights) Distributed data (all too easily shared) Identity management (easily cracked passwords) Social engineering (human nature) BYOD (including flash drives) Medical devices (potential exploit vectors, especially at your business associates Data breach fatigue (unavoidability begets complacency) To combat latent risks, Martinez recommends cyber insurance, data abstraction layers, anomalous activity detection, event logging and hands-on education efforts such as simulated phishing attacks. These steps won’t fix healthcare IT security outright, but they will bring these problems out of the darkness and into the light.Take Social Media SeriouslyImage by ThinkstockHospitals use social media to connect with patients; hospital employees use social media to, well, socialize. Drafting healthcare social media policies, then, must be an explicit and inclusive process, says David Harlow, principal at The Harlow Group. He suggests the following: Limit the number of “official” spokespeople allowed to access branded accounts. Since triangulation can uncover anonymization, obtain permissions from anyone appearing in photos or posts. Set up “break room” computers (on a separate network) so employees can safely access personal social media accounts. Avoid strict restrictions on employees’ personal posts; the NLRB protects certain types of speech. Don’t assume people can connect dots. When in doubt, spell it out. Above all, include social media in your overall risk analysis. Beware the Imminent Threat Image by ShutterstockHeadlines can drive security initiatives (think Community Health Systems), but “what you read in the papers is just the tip of the iceberg,” says Phil Alexander, CISO at University Medical Center. Put another way, organizations must look ahead instead of fighting the war they just fought, says Fletcher Allen’s Roszkowski, who spent 11 years in the Army.What’s more, many threats go undiscovered for months or even years. That’s because cybercriminals have grown “incredibly sophisticated,” says Esmond Kane, deputy CISO for Partners Healthcare, both in how they access information (“drive-by attacks”) and what they do with it (black market sales). If there’s any consolation, CynergisTek’s McMillan says, it’s that today’s criminals target everyone. It’s nothing personal.Do What You CanImage by ThinkstockSecurity-wise, healthcare aims to do in five years what financial services did in 25 years, says Nathan Russ, director for the East Region of Symantec’s U.S. Healthcare Industry. With targeted attacks hitting healthcare hard, now’s a “critical time” to improve security. Russ offers practical recommendations: Asset inventory Patch management Virtual server security Endpoint security Compensating controls such as firewalls and sandboxes Managed security services Cloud use for high-volume functions Exact data matching for patient records Multifactor authentication for patient portal users Compliance exercises as barometer for security budgeting Bottom line? “Assume that every network is under attack all the time.” Related content brandpost Survey: Marketers embrace AI at expense of metaverse investments Generative artificial intelligence (GAI) has quickly rocked the world of marketing. Sitecore polled B2B marketers on their perceptions of GAI. Here’s what they said. By Dave O’Flanagan, Sitecore Jun 01, 2023 4 mins Artificial Intelligence news Zendesk to lay off another 8% of its staff, cites macroeconomic issues The new tranche of layoffs comes just six months after the company let go of 300 staffers and hired a new CEO in order to navigate its operations through macroeconomic distress. By Anirban Ghoshal Jun 01, 2023 3 mins CRM Systems IT Jobs feature 5 CxOs on leading change To be the agents of change that businesses require today, IT leaders must embrace a flexible mindset, prep their orgs for change, and recognize that intention and purpose are vital to empowering transformation. By Dan Roberts Jun 01, 2023 13 mins Digital Transformation Change Management IT Leadership feature Top 8 data engineer and data architect certifications Data engineers and data architects are in high demand. Here are the certifications that will give your career an edge. By Thor Olavsrud Jun 01, 2023 9 mins Certifications Big Data Data Mining Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe