In preparation for the new year, we turned to our experts in information security to offer the best tips to guard against a security breach in 2018 and beyond. Below is a post from RRD’s Mark Matheis, regional privacy manager, U.S., and Rosario Sosa, senior director, IT Governance.
Every year, numerous healthcare organizations find their names added to a list no one wants to join — those who’ve experienced an information-security breach. In 2017, a midyear report from Protenus showed data breaches were outpacing 2016’s numbers, occurring at a rate of more than one a day. While the business sector led in terms of total data breaches (54.7%), according to Cyberscout the healthcare sector followed at nearly 30% of total data breaches in the U.S. in the first half of 2017.
Typically carried out by hackers or those inside the organization, this year’s breaches included high-profile events, such as an error that exposed protected health data for 1.1 million patients in Indiana’s Health Coverage Program as well as a ransomware attack involving data for another 500,000 patients at Michigan-based Airway Oxygen.
If these numbers make your palms sweat, it’s time to ensure your organization is truly on top of cybersecurity. There are resources that can help, including information from the HITRUST Alliance, which was formed in 2007 with the mission of helping health plan organizations defend against security risks.
A comprehensive effort also requires buy-in from your business partners: Your defenses are only as strong as the weakest link in your security chain. With this in mind, start 2018 with a checklist to verify all your partners are hitting the mark when it comes to security.
Below is a list of what to look for in your business partners, how to bolster your healthcare data security efforts, and ways to prevent a breach.
Healthcare Security Data Checklist for 2018
- Information security. The organizations you work with should have strong information security programs, ideally aligned with the ISO/ISE 27001:2013 standard. This standard spells out how an organization can establish, implement, maintain, and improve its information security system. It also includes tools to assess and address organization-specific risks. Be certain this framework takes other regulatory requirements into account, including those spelled out under the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and the Personal Information Protection and Electronic Documents Act (PIPEDA).
- Expanded SOC 2 audits. The SOC 2 audit process gives you some peace of mind that client data is being safeguarded properly. For added assurance, request the SOC 2 report be customized to include HITRUST CSF criteria, which is used to measure and certify an organization’s security management program. This can help confirm organizations are meeting these criteria, which some now refer to as the gold standard for healthcare information security.
- Logical user access control/management. Cut down on the potential for internal security breaches by putting logical access control/management in place for your business partners. Make sure access to systems storing confidential or private information is granted on a privilege basis. Staff members should only have access to the information they need to do their jobs.
- Change management. A formal enterprise change management process keeps problems from slipping through the cracks. Changes should be entered and communicated and back-out plans documented, tracked, tested with appropriate documentation, reviewed, approved, and implemented.
- Patch management. Business partners can protect themselves from security vulnerabilities by establishing a patch management process based around patches and/or system updates, released for each platform the enterprise uses.
- Malicious software controls. Malicious software protection programs guard against hackers, giving businesses guidelines to follow, security against viruses, and assisting with patch management. Servers and workstations should be updated and patched continuously.
- Network protection. Infrastructure and monitoring tools guard partners’ network and assets from harm, including demilitarized zone (DMZ) subnets, firewalls, network segmentation, circuit installations, and an overall structure for multi-tiered security protections.
- Intrusion detection and prevention. Intrusion detection/prevention systems (IDS/IPS) quickly identify and prevent undesired traffic within the network infrastructure.
- Internal and external vulnerability management. Internal scanning tools look for vulnerabilities and should be conducted at least monthly.
- Inventory of assets. Asset management tools help organizations understand the inventory of servers, workstations, and software, allowing them to identify appropriate patch needs and manage software licensing renewal, among other functions.
- System development life cycle (SDLC). A system development life cycle (SDLC) process for developing IT-based projects and maintaining systems should be established within any IT organization. Software developed both in-house and externally (under contract) must meet established SDLC standards, and quality assurance reviews should be conducted at key points in the SDLC and change/release management process.
- Physical/environmental security. Establish minimum requirements for all property and equipment, including physical access, electrical power, environmental controls, structural guidelines, fire protection, cabling infrastructure and security monitoring. These should be considered in addition to physical controls.
- External auditor review. A sound review evaluates continuity procedure for plan design and features.
- PIRP/SIRP program. Ask business partners if they have a formalized global security and privacy incident response team where each type of internal incident is managed and reported consistently throughout the organization. Formal documentation regarding “lessons learned” should also be published to heighten security awareness.
- Third-party management program. Partners with a mature vendor-management program provide you with assurance that information security is covered from initial engagement and throughout the relationship.
Ultimately, taking the time go through this list and understand what policies, procedures, and protections your business partners have in place can help you shield your organization from damaging and costly healthcare information security breaches.
Mark Matheis is regional privacy manager, U.S. at RRD, and Rosario Sosa is senior director, IT Governance at RRD.