Mac McMillan, CEO, CynergisTek, and Chair, HIMSS Privacy & Security Policy Task Force
Here are some red-alert warning signs.
• If you still have mobile devices or media that is unencrypted.
• If you are still reactively auditing and monitoring user activity.
• If you don’t have a current risk analysis that includes third-party risks.
• If you can’t actively account for where your ePHI is located and where it is being sent.
• If you still have not established an information security position and budgeted for security.
Rich Temple, National Practice Director, Beacon Partners
Here are some additional red-alert warning signs.
• Lack of defined governance on defining and responding to a breach.
• Lack of a proactive approach to ferreting out potential inappropriate accesses to data. Many organizations wait until someone reports something suspicious, as opposed to using tools that can seek out unusual patterns of data access.
• Lack of an engaged chief security officer and chief privacy officer.
Steve Matheson, North American Vice President of Sales, BridgeHead Software
Here are some red-flag signals present in nearly every healthcare system:
• Hospital IT infrastructure includes a mix of personal and professional devices that allow businesses and clinical people to view hospital data.
• Multiple third parties must have access to information from your IT systems – billing companies, collections agencies, pharmacies and even software and IT vendors.
• Environments in the hospital or healthcare system have a mix of records in both electronic and non-electronic formats.
Sam Curry, Chief Technology Officer, Identity and Data Protection, RSA, The Security Division, EMC Corp.
While it is critical for the healthcare industry to adopt new technologies, security must remain a top priority. Today, healthcare organizations face extreme penalties for non-compliance with regulations like the HIPAA Omnibus Rule. Yet, compliance should be a byproduct of a good security strategy, not the guidance for it. I fear that many organizations are still using these regulations to direct their security strategy, which will ensure they fall short as new technologies continue to become mainstream. Sometimes to be forward thinking, we must go back to the basics.
Authentication, access controls and data protection are three fundamental pillars of any security strategy and need to be addressed before any organization can start to engage in newer technology trends. Consider the details:
Multi-factor authentication: One of the most foundational security principles is multi-factor authentication. It always surprises me that authentication continues to be one of the lowest priorities for technology investments by healthcare organizations. Multi-factor authentication has to be two-fold (internal and external), and it has to be thought of as a long-term framework due to the growing number of Web portals for patients. It’s not just about building something and standing up a wall, but rather authentication should be risk based, intelligence driven and able to learn new patterns of user behavior so that it can adapt to changing risk levels.Role-based access controls:
Role-based access controls are one of the other inarguable security principles that may fall as a low priority for healthcare organizations. As more people are connecting from more types of devices and with more applications than ever before, these controls need to be a top priority. Role-based access controls are often (understandably) more difficult to deploy than multi-factor authentication. Once these are applied properly, you can start to build normative patterns for how people access information and from where – laying the foundation to apply intelligence-driven principles that monitor how roles shift over time and adjust policies accordingly.
Data protection: Another major challenge facing healthcare organizations is data protection. The reaction by some healthcare organizations to prevent data loss is to encrypt everything – from the endpoint to the application level. This is simply not a feasible strategy. Newer technologies like tokenization can help. Tokenization works by taking sensitive, fixed-format data (i.e., account numbers, birth dates or Social Security numbers) and replacing it with a string of random characters. Similar to a brokering system, the tokenized value is used as the placeholder. When the real information is needed, the broker retrieves it, which eliminates the need for keys all together.