With Mardi Gras just weeks away, securing the city of New Orleans will be the main focus for law enforcement. Every available officer from the city police force, as well scores of state troopers and sheriff’s deputies, is likely to be on hand to keep the festivities secure and under control. And yet crime will still happen, despite having the city in virtual lock down. Healthcare organizations faces the same challenges when trying to secure patient privacy. Simply adding “more” security doesn’t mean data is any safer. Why?
Because security is all about strategy – and “more” doesn’t equal “better.”
For example, if the entire Mardi Gras police presence were to congregate on Bourbon Street it might look formidable and make revelers feel safer — but it would leave the rest of the city exposed and vulnerable to threats. The same holds true for securing patient privacy within healthcare organizations. Centering all attention on a few areas prone to attack just isn’t helpful. A truly secure environment requires holistic attention, from perimeter security right down to staff education on cyber-hygiene and everything in between.
This is a reality every healthcare organization needs to come to terms with and address, regardless of size or sophistication.
Protecting patient privacy is a risky business – the threats faced by healthcare organizations are growing faster than the industry can even comprehend. 80% of healthcare organizations report experiencing at least one recent “significant security incident.”1 HIPAA is handing out unprecedented penalties for breaches. No one is immune. Even Cedars Sinai, Hollywood’s “hospital to the stars” and leading example of patient privacy practices, has seen the writing on the wall. They recognized that they’d need to advance their protections in order to stay ahead of the rapidly growing threat landscape.
The challenges Cedars faced were familiar ones that every healthcare organization can relate to:
- A reliance on manual controls
- An overabundance of alerts with no way to prioritize them
- Gaps in EMR logs
- No real-time alerts
- Limited reporting
- No way to transform data into useful analytics
I don’t know a single security, privacy or audit professional who doesn’t face at least a few (if not all) of these challenges on a daily basis.
Cedars is currently in the process of elevating their facility to an unprecedented level of security. Their approach (and success) can be boiled down into a few basic principles that come straight from Mardi Gras:
- Conduct a thorough analysis to identify potential gaps in privacy monitoring
You can’t figure out where you need to go if you don’t know where you are. Just as law enforcement would work to understand the unique vulnerabilities they’ll face for each new Mardi Gras year, security professionals also need to have an in-depth understanding of their environments. It’s a critical first step in crafting a comprehensive security strategy that ensures no points of exposure are left unchecked. This review process will also highlight any deficiencies in terms of security systems as well. For example, most organizations rely on log-files based systems to collect data, which generally fall short of currently held best-practice approaches to security.
- Identify an approach to managing risk that’s suitable for your risk profile
Every business involved in Mardi Gras festivities has a different risk tolerance to potential issues that may arise as a result of the celebration – and each protects themselves accordingly. The same holds true for Healthcare organizations and the risks posed by security threats. The risks of breaches have grown exponentially in the last year. While worries of lost reputation and patient trust and non-compliance still exist, they’ve become eclipsed by the enormous fines HIPPA has been handing down (e.g. the $5.5 million settlement with Advocate Healthcare Network in late 2016), as well as the growing threats to patients’ physical safety as attacks on connected medical devices become a reality. Take the time to have frank discussions with stakeholders in the organization about how to prioritize and quantify the risk. These discussions should include whether or not you consider simple compliance with security regulations to be adequate protection and whether you want to transfer the risk or mitigate it, such as with a real-time behavior monitoring system.
- Use a layered security approach that takes a holistic view of the risks
New Orleans law enforcement officials would never advocate simply circling the city with officers to protect residents and tourists during Mardi Gras – just as healthcare organizations shouldn’t utilize a single layer of security to protect patient data. For maximum security (and the least amount of complication), privacy protection should include rules layered with user profiling and risk scoring. By employing these 3 critical tiers, organizations can simultaneously protect against known bad behavior, identify suspicious changes in user behavior, and avoid wasted time chasing down false positives.
When it comes to patient privacy, security has to be about more than just a show of force. Law enforcement officials in New Orleans understand the wisdom of employing a layered approach to security — threat actors are advancing their skills and becoming more creative in their efforts with each passing minute. If Healthcare organizations want to keep patients and their data safe, they need to advance their protections as well.
[su_box title=”About Boaz Krelbaum” style=”noise” box_color=”#336588″][short_info id=’100725′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.