Although the healthcare industry provides one of the most critical services to humankind - keeping us alive and well - we are still not providing optimal cybersecurity safeguards for our data and assets. Even though there is a specific standard in place, called The Health Insurance Portability and Accountability Act (HIPAA), to help ensure that our healthcare institutions are compliant when it comes to protecting personal health information (PHI), the bad guys are still at an advantage. Remember, PHI is much more valuable than financial or credit card data, because it is not something you can simply cancel and renew; it sticks around forever. So, how can we leverage HIPAA guidelines and modern cybersecurity technology to keep this sensitive data safe?
Generally speaking, cybersecurity should function as a wrapper for business processes. The healthcare industry is no exception. If you are not putting any effort into classifying your data, assets, and any third-party providers, it will be much harder to protect your data - and comply with HIPAA guidelines. You need to understand how you store your electronic PHI, who does - and should - have access to said data, and the security controls you have in place to protect PHI. Once you have this information, you can may need to design new controls that help protect your valuable assets and data. In order to appropriately protect your PHI and other healthcare data, you must understand how your organization uses said data. Which processes utilize your data? Who are the users that should have access to the data? Where does your data flow - either externally or in-house? When it comes to HIPAA compliance, remember: “Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement…” (HIPAA STANDARD § 164.312(a)(1))
Gaining an understanding of how your healthcare business operates, and the part that data plays in these day-to-day operations, you can start implementing - or tuning, if they already exist - cybersecurity controls that provide optimal monitoring and protection capabilities. Healthcare data is some of the most valuable information available these days; luckily, it is also relatively easy to classify and monitor for flow - if your infrastructure allows. Sometimes systems get built up over time, which may lead to disparate systems or applications and data flowing in many directions. Leveraging a user and entity behavior analytics (UEBA) platform with machine learning can come in handy here, as you do not necessarily need to understand your network 100% (although you should, for your sake), and the tool will be able to provide insights based on statistical and probabilistic models. If you understand your business and know where your PHI and other important healthcare data resides, you will be able to analyze and discern quickly whether or not an alert is true or false positive. These types of technology can enhance the response effort and greatly reduce the time to contain. Let’s not forget the forensic capabilities provided by a UEBA platform with machine learning.
Creating a team whose main task is to respond to data breaches and other cybersecurity incidents is a must for healthcare organizations. With HIPAA guidelines stating that breaches must be reported within 60 days if they affect more than 500 users, or within 60 days of the end of the calendar year if the user count is less than 500, having a strategy in place to detect and report on breaches is paramount. This team should understand how HIPAA works, how your organization works, how your data flows, and how relationships with third-party suppliers are carried out. These team members will have their own day-to-day tasks, but in the event of a breach or other security incident, they will need to act fast to confirm, contain, and remediate any cybersecurity incidents. Remember, a persistent attacker has a high likelihood of infiltrating a network; the main goal is to contain them to ensure that there is as little collateral damage as possible, and that your data remains safe from exfiltration.
In summation, three major steps must be taken if we are to ensure that our healthcare data will be protected - or if we want to avoid fines associated with HIPAA violations.