Protecting all forms of digital health information, including personal health information (PHI), wherever it is contained across an enterprise, is one of the fundamental objectives of every healthcare organization. As mandated by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) privacy and security rules, appropriate physical and logical safeguards must be in place to effectively enforce controls on PHI at rest, in transit or in use.
Healthcare security leaders face an immense amount of complexity in their IT infrastructures. These systems have matured over time and been integrated with countless vendor software products and hardware devices, which have resulted in a mashup of technologies and resulting system vulnerabilities. In many organizations, this has created varying silos—particularly when looking at the electronic medical record systems implemented to meet Meaningful Use Stage 1 requirements.
By commissioning a comprehensive, third-party IT security assessment, leaders can assure their stakeholders that PHI is protected. A comprehensive external assessment accepts the structure and organization in place and does not seek to alter an organization, but instead looks for enhancements to better protect the valuable electronic assets a healthcare organization produces and utilizes: patient health data.
Being compliant with HIPAA checklists is not sufficient to enable sound cyber security. HIPAA is very non prescriptive, and organizations must then implement sound practices and ensure the protection of all sensitive information. Compliance and security are really two complementary components that reflect different stages of an enterprise security posture.
The lack of a data breach does not mean sufficient security protections are in place. Chief information security officers know that they cannot correlate the scanning of their systems with the vast amounts of system log data generated into a single dashboard of security intelligence. The impact of these challenges is clear: the attack surface is growing, the value of patient electronic records is increasing and the gaps in security intelligence—preventing misuse of data before an actual breach occurs—are growing larger.
Smaller organizations should not assume they are safe and will not become a target because of their size. The theft and sale of PHI for medical identity theft and financial fraud have no restrictions with regards to size. In fact, ease of unauthorized access may make smaller institutions more susceptible to an intrusion and exploitation.
Conducting a comprehensive IT security assessment provides insights into how to address any existing vulnerabilities. Performing a high-quality inventory audit, which seeks to uncover each and every connected device in a network, is the crucial first step to securing PHI. While this will certainly uncover inadequacies in the current infrastructure and procedures, IT security assessments are intended to make process changes and should not be used as a means of punishment for current IT personnel. Instead, assessments should be thought of as an opportunity to improve the overall security posture of an organization before a security breach occurs.