Healthcare data continues to be some of the most valuable and highly sought after resources that attackers are targeting in 2017. Patient’s private health records now fetch higher prices than stolen credit card on the dark web. The loss of sensitive information due to unauthorized access to databases through malicious software or loopholes in a network is of grave concern for enterprises. Unfortunately, the most relied upon security tools such as antivirus software and firewalls deployed for the protection of an IT infrastructure are not enough to prevent these breaches.

For healthcare organizations in 2017, segmentation, relentless vulnerability management, and proactive monitoring and blocking will be vital to creating a secure environment. Working with experts to ensure some fundamentals like making sure your device configurations are kept updated, sensitive data is segregated and firewalled, users are educated on how to spot phishing attempts, and mobile devices are protected with strong encryption, are all critical components in efforts to keep your environment secure.

With the wave of highly publicized cyberattacks on healthcare, the challenges of data security and compliance have only multiplied.  In 2017, you will continue to see healthcare organizations, and service providers that handle electronic protected health information, not only focusing on maintaining patient privacy and data security, but complying with HIPAA and numerous State laws and industry regulations. With mandatory breach reporting and increasing OCR audit activity, the odds of having to defend the organization’s security controls to a government regulator continue to go up.

To combat this, you may see more organizations taking advantage of the HITRUST Common Security Framework (CSF) to assist in meeting these challenges, as it is rapidly gaining acceptance in the healthcare security ecosystem. While obtaining HITRUST certification is a complex undertaking, the rewards can be large, enabling organizations to address regulatory requirements and business challenges.   HITRUST and similar frameworks also provide a great platform on which to build your organization’s risk assessment.

A risk assessment (as part of a broader risk management program) should be a foundational component of every healthcare organization’s security program.  Understanding where actual risks exist helps the business “right-size” the security controls and technologies being applied to protect data.   Many organizations jump immediately to technology solutions to solve their perceived security problems without a thorough understanding of where sensitive data resides, with whom it’s shared, and how it may already be protected.  Among other things, a risk assement seeks to ask and answer the questions, “what can go wrong?” and “how are we protecting against those threats?”

A few key areas to consider for your risk assessment this year:

  • Medical devices
  • Access to Cloud-based clinical systems
  • Mobile and portable device encryption & tracking
  • 3rd Party Vendors / Business Partners
  • Monitoring systems for intrusions and malware
  • Patching of systems and scanning for vulnerabilties
  • Responding to security incidents

The threats will not abate in 2017.  As an industry, healthcare is slowly maturing from a security perspective but there is still much work to be done to ensure we are doing the right things to protect sensitive and protected data

Mark Fulford is a shareholder in the Risk Services division of LBMC. With nearly 25 years of experience in information technology, audit, and security, he regularly consults on matters including Service Organization Control (SOC 1&2) audits, HITRUST validation and certification assessments, Sarbanes-Oxley Section 404 IT controls documentation and testing, and HIPAA risk assessments for large multi-facility healthcare providers as well as healthcare business associates.