- One word can describe the current security landscape: chaos. We’re way beyond the days of traditional firewall and network security solutions. Today, healthcare organizations have to worry about security when it comes to cloud, data, end-point, network, application, IoT, and more. And yet, the healthcare data breaches keep coming.
Consider this: the US Department of Health and Human Services manages a list of breaches of unsecured protected health information (PHI) affecting 500 or more individuals. The list contains all breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights (OCR).
Just to give you a snippet of what the report shows, over the course of the past six months alone, 2,682,462 individuals were affected. Causes of breaches range from paper and films being leaked out to email security breaches. Other breaches were the result of poor network security, lost portable electronic devices, or a breach that happened through a desktop computer.
With all of this in mind, I’m here to deliver some bad news. The amount of breaches being experienced by healthcare isn’t going to slow down. Hacking has absolutely become an industry where the economics very much pay off. However, that doesn’t mean that we in the healthcare world can’t be a lot more resilient.
With that in mind, I’ve been involved in several projects where security was at the forefront of the initiative. And these projects have all been aimed at further enabling healthcare security capabilities while still improving user experience.
And so, for 2018: here are some tips to create a more secure and resilient healthcare platform.
Hope is not a strategy
One big piece of advice going into 2018 and beyond is to look at healthcare security from a different perspective. Specifically, analyze your organization’s appetite for risk. That is, understand risk around your end-users, all of your applications, your back-end systems, your remote locations, and so on. Wrapping security as an overarching solution can become complicated and even cumbersome. Leading healthcare organizations identify risk around their entire business and then contextually apply security best practices.
It can and will happen to you
This goes along the lines of “hope is not a very good strategy.” The data that’s being created within the healthcare world is a lot more valuable than ever before. This means that every type of healthcare organization is at risk. Whether you’re an imagine center or a dental group – you face a potential breach. As the list from earlier points out, nearly every type of healthcare services organization is a target. The best way to prepare for a breach is to acknowledge the fact that it can, and will, happen to you; and that you should be constantly vigilant.
End-user protection has come a long way
We’re seeing advanced learning engines, tools which detect anomalous behavior, and solutions which can fix gaps in the way users interact with various types of apps and services. Solutions like Cylance, CrowdStrike, Carbon Black, and even Trend Micro are offering end-point detection and response (EDR) solutions that go way beyond traditional anti-virus. Furthermore, solutions like those from Cisco Talos leverage sophisticated systems to create threat intelligence that detects, analyzes, and protects against both known and emerging threats. A great way to become more proactive is approach end-user security from a contextual perspective. That is, applying the proper security policies based on what the user is doing, their device, where they are coming in from, and so on.
Secure your email ecosystem
This is a big one. I’ve seen numerous ransomware and phishing attacks take place recently that specifically take aim at healthcare email environments. Proofpoint is a great email security architecture, as are the solutions from Cisco and their Email Security architecture that leverages Cisco Advanced Malware Protection. The point here is that traditional gateways can provide only so much security. Not only are you better protecting your users, you can also employ data loss prevention technologies to stop the leakage of data.
You’re creating data, have a good analytics and logging architecture
SIEM, log analytics, and data intelligence are all great ways to better understand the information that’s flowing through your healthcare environment. New types of solutions can analyze logs and actually find anomalies in data patterns. From there, you can actually identify security holes. Here’s the other big factor: a great way to mitigate a breach is to have solid forensics within your environment. And that all revolves around how well you can analyze your logs.
Test, test, and test
Breaches don’t run on schedules. Neither should your penetration and vulnerability tests. I highly recommend working with a security partner to help you test the integrity of your healthcare infrastructure. This means regularly testing for unpatched gear, scanning for rogue pieces of software, and even doing things like active penetration testing against the environment. Your goal here is to catch issues before the bad guys do. And, with regular vulnerability assessments, you can absolutely stay ahead of the game. Yes, I know this is an additional expense. However, working with a good testing solution can help prevent the massive costs (to the business, brand, and confidence of the user) that is associated with a breach.
The best security models start with the end-user
A good healthcare security architecture is always built around people, process, and technology. Well, working with people and process when it comes to security may be the most important steps in creating a good platform. With more mobility and infrastructure distribution, it becomes even more critical to understand how our end-users compute. A good preventative measure is to clearly define user roles, deliver security based on context, and leverage a platform which aims to improve experience without deprecating security. Most of all, work with your end-users to ensure they understand the value around security. And make sure they understand that they play an important role in the overall security architecture.
With the ever-increasing complexity of the healthcare IT environment, security, unfortunately, will be just as complex and oftentimes challenging. There is no silver bullet when it comes to creating a security architecture, but there are some great bullet-proof vests out there.
Risk mitigation, containing a breach, and understanding how to respond quickly if a breach happens is just as important as having a prevention plan. Beyond anything else, it’s important to really work with your users when it comes to security.
Don’t get me wrong, it’ll still hurt a lot if you get breached, but at least you’ll be more prepared.