Healthcare Information Security – A Perfect Storm?
The 2012 article “Eye of the Storm – Key findings from the 2012 Global State of Information Security Survey” published by PWC really crystallized the angst that most healthcare providers are experiencing.
ISO 27001, Information Technology – Security Techniques – Information Security Management Systems – Requirements, is the newest management system standard to help ensure information security. This leading-edge tool is becoming extremely important to the Healthcare Industry as more and more organizations look to adopt the use of Electronic Medical Records (EMSs).
This standard enables health service providers to organize information security processes and document subsequent actions in a format that allows for the implementation of security controls that can be customized to their specific needs.
Registering to the standard demonstrates to partners in the continuum of care and patients/clients that your health service organization is committed to maintaining privacy and security of any information contained in each patient/client’s EMR.
Compliance is the greatest driver to information security change/investment: Between HIPAA/HITECH, EMR meaningful use, and the rise of the Business Associate Agreement – the need to prove security/compliance to key stakeholders (customers, management, and auditors) is escalating rapidly at the same time.
Most organizations lack effective incident detection mechanisms (especially for Advanced Persistent Threats) and even those that do often have insufficient Incident Response capacity. There has been a notable increase in the number of forensic investigation performed in the health care sector in the recent past.
One of the most dangerous cyber threats is an Advanced Persistent Threat attack: Generally speaking, more mature Information Security Management Systems are required to prevent and/or detect. The lack of funding/attention paid to HIPAA post its initial release, coupled with the significant and rapid rise in attention, investment, new technology, and its associated risk (e.g., Healthcare Identity Theft) has resulted in rapidly evolving (and hence immature) Information Security Management Systems in many healthcare organizations. Isn’t it time to take your organization to the managerial, operational and supporting technical controls (e.g., NAC, SEM, IDM, Security Awareness Training, ISO 27001) necessary to address these type of attacks.
Managing the security-related risks associated with partners, vendors and suppliers has always been an issue. It’s getting worse: While this is an issue everywhere, HITECH moved this issue front and center in the Healthcare space. In the complex processes that support patient care and ensuing payments for same, virtually every healthcare organization is reliant on a myriad of third-party vendors for providing key services. Unfortunately, most lack sophisticated enough Vendor Risk Management programs to identify their vendors that require due diligence, determine the extent/rigor of the validation, deliver (or review) the assessments, and govern/monitor the process to manage security incidents and address deviations from contracted security levels. As I’ve noted before, one area that gets “sticky” is “sixth party risk” (managing the risk associated with your vendors’ vendors).
Mobile devices and social media represent a significant new line of risk – and defense: The healthcare industry has perhaps the greatest demand for mobility – and hence the greatest challenge. Many healthcare providers do have a security strategy for mobile devices have not extended it to address employee use of personal devices.
While the findings regarding “the eye of the storm” were cross industry – it’s clear that many of the most notable findings are current – and significant – pain-points for healthcare information security.
