Your average healthcare IT organization tends to be ruled by two primary concerns: HIPAA compliance and preventing breaches. Both are smart priorities, but many teams assume that achieving the first will prevent the second – and that can be a disastrous mistake.
Why is this assumption so dangerous? Because as important as compliance is, simply claiming HIPAA compliance is not an adequate defense against today’s sophisticated criminals. The reality is that teams should always work to reduce their risk by prioritizing security first – and along the way, they’ll often complete most of their compliance work.
Unfortunately, too many healthcare IT organizations make excuses for their failure to build a strong risk reduction program. The two complaints I hear most often? Security is “too expensive” and “too difficult.” Consequently, many teams keep hunting for a solution that will offer an easy and inexpensive security program that fulfills HIPAA requirements.
Well, here’s the truth you might not want to hear: that solution does not exist. To win the healthcare IT security battle, you must accept two undeniable realities.
1. There’s no easy button.
While your team can look to guidelines like HIPAA’s Security Rule and NIST’s new Cyber Security Framework for assistance, it will ultimately fall on your shoulders to take the right actions. This means understanding several new responsibilities:
· Identifying the data that you need to protect
· Being conscious of the risks associated with how you handle PHI as you conduct required risk assessments
· Selecting appropriate controls to mitigate identified risks
· Training your employees on proper security and compliance procedures.
But just knowing best practices isn’t enough. You must be engaged on a daily basis with the controls that an effective program requires.
Daily control
You’ll notice I said daily. Monitoring your network for suspicious behavior and regular vulnerability scans can catch a breach before it turns into a major disaster. IDS/IPS (intrusion detection/prevention systems) will monitor network and system activities to identify and log malicious activity, trigger alerts and block and report intrusions. They also evaluate traffic that is permitted into the network and verify that it’s behaving appropriately.
Working in concert with log aggregation and correlation via a SIEM solution provides an effective early warning system against potential attacks. Several high-profile healthcare breaches involving data siphoning could have been caught and controlled early on with these controls.
