Your average healthcare IT organization tends to be ruled by two primary concerns: HIPAA compliance and preventing breaches. Both are smart priorities, but many teams assume that achieving the first will prevent the second – and that can be a disastrous mistake.
Why is this assumption so dangerous? Because as important as compliance is, simply claiming HIPAA compliance is not an adequate defense against today’s sophisticated criminals. The reality is that teams should always work to reduce their risk by prioritizing security first – and along the way, they’ll often complete most of their compliance work.
Unfortunately, too many healthcare IT organizations make excuses for their failure to build a strong risk reduction program. The two complaints I hear most often? Security is “too expensive” and “too difficult.” Consequently, many teams keep hunting for a solution that will offer an easy and inexpensive security program that fulfills HIPAA requirements.
Well, here’s the truth you might not want to hear: that solution does not exist. To win the healthcare IT security battle, you must accept two undeniable realities.
1. There’s no easy button.
While your team can look to guidelines like HIPAA’s Security Rule and NIST’s new Cyber Security Framework for assistance, it will ultimately fall on your shoulders to take the right actions. This means understanding several new responsibilities:
· Identifying the data that you need to protect
· Being conscious of the risks associated with how you handle PHI as you conduct required risk assessments
· Selecting appropriate controls to mitigate identified risks
· Training your employees on proper security and compliance procedures.
But just knowing best practices isn’t enough. You must be engaged on a daily basis with the controls that an effective program requires.
You’ll notice I said daily. Monitoring your network for suspicious behavior and regular vulnerability scans can catch a breach before it turns into a major disaster. IDS/IPS (intrusion detection/prevention systems) will monitor network and system activities to identify and log malicious activity, trigger alerts and block and report intrusions. They also evaluate traffic that is permitted into the network and verify that it’s behaving appropriately.
Working in concert with log aggregation and correlation via a SIEM solution provides an effective early warning system against potential attacks. Several high-profile healthcare breaches involving data siphoning could have been caught and controlled early on with these controls.
Perimeter security plays an important role in ensuring the security of your information. DoS/DDoS mitigation helps ensure the availability of PHI. IP reputation management blocks known bad IPs at the edge of the network before connection requests get to your server/applications.
Web application firewalls are also valuable as they protect websites and applications against attacks such as SQL injection, cross-site scripting (XSS), URL parameter tampering, session-hijacking and other application-layer attacks.
These controls are especially helpful for healthcare IT for a reason. They permit legitimate transactions while preventing attacks from impacting performance. They help protect the speed, uptime and data availability that can impact patient outcomes.
In the end, there’s simply not an easy button for healthcare IT security. All of these controls require effort, diligence and skill. But they do safeguard data – and doing this security work will cover much of the compliance work you would have to do anyhow. By focusing on security first, you build a shield of protection that safeguards data and satisfies the core of HIPAA compliance.
2. There’s an entry price for healthcare IT.
During the course of a typical security discussion, people complain that they can’t afford another server or that encryption is too expensive. If that sounds familiar, here’s the straight talk: you can’t afford not to invest in these things.
Consider the alternatives, after all. Just one breach can mean any or all of:
· Massive costs of complying with Breach Notification laws
· Investigation costs
· HIPAA fines
· Brand damage
A severe attack can put you out of business. Studying the list above, security is absolutely the more affordable path. Every organization needs to realize, up front, that there’s a minimum cost to participate in healthcare IT.
The franchise plan
Consider it akin to buying a franchise. You can’t start your own version of a fast food restaurant chain. You need to pay the franchise fee and then build a restaurant according to their blueprints and guidelines. The headquarters will also vet your balance sheet and assets to make sure you’re financially capable of building an appropriate franchise to ensure that your efforts don’t reflect badly on them.
A healthcare organization is no different. While hospitals, clinics, insurers and other entities may technically function as separate businesses, all of them are beholden to certain regulatory laws. Organizations that claim they “can’t afford” real security are eventually going to pay a much higher price in the form of a breach. There simply is no escaping the entry price of healthcare IT.
Finally, remember that the heart of compliance and security is protecting other people’s privacy. Treat PHI as if it were your medical records at stake and build the risk management program your data deserves. Your organization will be that much closer to HIPAA compliance – and you’ll also enjoy a stronger, higher-performing environment.