As we covered in part one, there’s tremendous investment underway in healthcare IT and the industry is innovating every step along the way of patient care and records management, or it soon will be. And the result is that as hospitals grow more efficient and deliver care more effectively, it will help better contain healthcare cost increases. But it must be done securely.
Consider the report from MarketResearch.com Big Data in Internet of Things (IoT): Key Trends, Opportunities and Market Forecasts 2015–2020, which forecasts that healthcare will be the highest segment for growth. The report forecasts that the IoT dedicated to healthcare is expected to reach $117 billion by 2020, up from $32.47 billion in 2015. It’s not difficult to see it get there when considering how IoT can improve data driven decision making regarding things such as health changes and medicine effectiveness and even medical delivery supply chain effectiveness.
The list of technologies that are promising to transform healthcare, from 3D printing to artificial intelligence and machine learning to virtual/augmented reality.
Wearable technologies also are going to change the security demands on healthcare providers because more patients—and the data sent from patients to their physicians relating to their health status—will create tremendous opportunities for real-time health monitoring, diagnosis, and spotting illness trends ahead of time. But all of these connections and data feeds also will create additional data flowing into systems that will need to be secured, stored, analyzed, and maintained securely.
What measures can healthcare organizations take to ensure that their systems are adequately secured, and that they are able to embrace EHRs and other healthcare IT innovations with as few breaches as possible? The answer to this question is simple, but it’s certainly not necessarily easy.
The first thing any organization must do to understand what is needed to improve its security posture is to gather an objective grasp of where its security capabilities and defenses stand currently. From there, gaps separating where an organization currently resides and where it needs to should be filled.
With that in mind, for healthcare organizations to become as secure as they must be, here’s what they need to do:
Conduct an assessment of current environment and security posture
It’s important to assess the entire healthcare IT environment. Identify all critical and regulated data as well as the systems that manage, touch, or store those critical and regulated data (such as Protected Health Information (PHI)). Part of this process includes conducting an in-depth network assessment to identify all of the network connections, network segments, servers, cloud services, remote locations, and endpoint devices that capture, manage, store, or transmit ePHI. From there, it’s time to take an objective assessment of how well security and regulatory controls in place are protecting those data.
This process needs to be an honest and objective evaluation of where the organization stands now. The organization should not try to project the most flattering view possible of the security and risk management program, but to make a clear assessment of where controls are effectively in place and where they need to be improved. This is the only way to create an accurate plan that will reduce the overall risk to the organization.
Build continuous monitoring capabilities
In the world of continuously changing environments, and multiple delivery pipelines it’s important to have continuous security through proactive monitoring efforts. For instance, Covered Entities and Business Associates are required to implement appropriate identity and access management capabilities. Based on this requirement only authorized people have the ability to access PHI. Access also needs to be properly monitored and logged for auditing capabilities.
But to adequately protect systems, health care providers must monitor more than what is required by regulations, and they must monitor application access and network traffic much more closely than most do currently. That includes all network perimeters, internal network infrastructure, web apps, connections with covered entities, and other third parties. In short, healthcare organizations need to be able to monitor so that when something awry, there can be a quick response, which brings us to the next segment.
Build adequate response capabilities
It’s not possible to adequately respond to any type of breach without a tested and proven incident response plan. When we ask many healthcare organizations, they claim that they have a breach response plan in place, but the reality is these plans are often not something adequate or effective enough.
Without an updated plan, there’s no way any organization can respond effectively, and the result of the breach will be higher costs associated with more devastating successful attacks, longer response time, and more challenges with forensic investigations. These conditions also lead to less confidence from partners, suppliers, regulators, and customers. These constituents need to know that healthcare organizations are doing everything they can to secure their organization and protect PHI and, when they do get breached, that steps are in place to detect and mitigate that breach and how customers are helped when such a breach occurs.
Constantly reevaluate security posture
Finally, when new technologies are being deployed, such as new mobile apps, remote sensors, connections to new offices, and new customer web portals, it’s critical that those applications and initiatives be threat modeled and evaluated for risk. How will these initiatives affect the organization’s risk posture and what is the potential for data exposure? What attackers may try to breach it and what would they be after? How are the risks mitigated? Is the application secure and free of software defects? How is access monitored and data integrity ensured? What security safeguards are needed to make certain that everything is in place?
Also, when initiating all of this, it’s crucial to take an honest view of the current security posture. It’s important to prioritize and complete what can be attended to quickly and plan how to remedy the more challenging gaps over time.
Address the skills gap
The information security skills gap is making it challenging for all organizations, including healthcare, to find and hire, the people with the information security skillsets that they need to secure their apps, data, and deployed clinical devices. According to this Financial Times article, Cyber security sector struggles to fill skills gap, about 103,000 professionals globally hold the CISSP certification, about 68,000 in U.S., but in the U.S. alone, tens of thousands of information security positions remain open at any given time.
Ways healthcare organizations can help get the skills they need include providing security training to in-house technology workers who are interested in that career, working with local colleges, and training admins, developers, and others on areas where they can have direct impact on security, such as configuration management for admins and secure development practices for developers.
Healthcare companies can digitally transform themselves, and they can innovate, and they can do it both securely if they decide to do so.