SecureWorks Releases Guidelines to the Healthcare Industry for Protecting Sensitive Patient Data as Enforcement of HITECH

to the Healthcare Industry for Protecting Sensitive Patient Data as Enforcement of HITECH Act Takes Effect

ATLANTA, GA.  December  30,  2009. SecureWorks®, Inc., a leading global provider of information security services protecting 2,700 clients worldwide, including four of the Fortune 10,  has outlined a set of guidelines to help the healthcare industry protect their sensitive patient data from cyber attacks and other data breaches. These solutions will also assist healthcare organizations in demonstrating their adherence to the requirements outlined in the new Health Information Technology for Economic and Clinical Health (HITECH) Act.

Many organizations are not prepared to manage the provisions set forth by the HITECH Act that went into effect on September 23, 2009, and will be enforced starting February 2010 by the U.S. Department of Health and Human Services (HHS).  The HITECH Act has extended the Health Insurance Portability and Accountability Act (HIPAA) regulations to apply not only to healthcare providers, insurers and healthcare clearinghouses but also to business associates that are handling personal information about patient health, as well as other protected information, including name, Social Security number, address and insurance account numbers. These associates must adhere to the Security Safeguards Rules outlined by HIPAA. The HITECH Act has also added a data-breach notification requirement and increased penalties for violation of the HIPAA rules.

SecureWorks currently protects 82 healthcare organizations across the country, in addition to providing security services to entities that are now required to adhere to the HITECH Act. “Healthcare organizations maintain very sensitive data such as a patient’s social security number, birth date, name, address, insurance account number and/or financial account data, etc. As a result, our security analysts are seeing attempted cyber attacks launched against our healthcare clients no less frequently than those against our financial, retail, utility and manufacturing clients,” said Beau Woods, Solutions Architect for SecureWorks’ consulting practice.  “Unfortunately, as cybercrime becomes more pervasive, and the healthcare industry continues to suffer other types of data breaches such as those involving stolen laptops, flash drives and accidental leakage of confidential records, it is vitally important for healthcare organizations and their business associates to employ a defense-in-depth strategy. This approach involves implementing multiple layers of protection so as to shield the organization from current and emerging threats.  Adopting these security measures will also assist organizations in complying with the current healthcare regulations,” continued Woods. 

SecureWorks’ Recommended Information Security Guidelines

• Security Risk Assessments - Performing regular security risk assessments will give your organization a much better understanding of the actual risks posed to your Protected Health Information (PHI) and Personally Identifiable Information (PII). This process will also look at the controls you have in place compared with regulatory requirements, and help you determine if there are any gaps.  It will also give you an opportunity to compare your security posture with others in the industry. Recommendations made as a part of this process can be integrated into your overall information security program, keeping your security safeguards current, as well as helping your organization show diligence and a commitment to compliance.

• Intrusion Prevention and Detection Services (IPS/IDS) – The implementation of IDS and IPS enables you to detect and block attempts by cyber criminals to access data on your servers and your network. Proactive alerting mechanisms and monitoring services can notify you of attempted cyber attacks and allow you to respond in real-time as a component of your Information Security Program. It is much less costly, both from a monetary and reputational perspective, to prevent a cyber breach then to be faced with notifying affected individuals and the HHS, as required by the HITECH Act.

• Data Loss Prevention (DLP) – A DLP solution can help monitor your network traffic for possible leakage of PII such as social security numbers and PHI, such as Health Level 7 (HL7) codes (medical standards/procedures codes), etc.

• Log Monitoring – Log Monitoring centralizes and correlates audit logs from your applications and systems to allow you to identify improper access to sensitive patient data from internal or external sources.  Proactive monitoring or regular reviews of logs is a key step in ensuring that your patient data is secure, as well as in meeting the short time-window required by the HITECH Act for notification of a breach. 

• Web Application Security Testing and Web Application Firewalls – Web applications are becoming more common in healthcare environments. Due to their increasing role in the IT business environment and prevalence of security flaws, web applications are a frequent target of Internet hackers. Healthcare organizations and business associates should perform web application security testing regularly and when significant changes are made to the web applications in order to protect against current security threats. Also, the implementation of a web application firewall can help protect against emerging attacks being launched from cyber criminals.

• Encryption – Implementing strong encryption policies and technologies on mobile devices, laptops, portable storage and backup tapes is key to reducing your risks with regards to improper data disclosure.

For more information on IT security solutions for healthcare organizations, please visit http://www.secureworks.com/compliance/industries/healthcare. 

About SecureWorks 

SecureWorks is a market leading provider of world-class information security services with over 2,700 clients worldwide spanning North America, Latin America, Europe, the Middle East and the Pacific Rim. Organizations of all sizes, including more than ten percent of the Fortune 500, rely on SecureWorks to protect their assets, improve compliance and reduce costs. The combination of strong client service, award-winning security technology and experienced security professionals makes SecureWorks the premier provider of information security services for any organization. Positioned in the Leader's Quadrant of Gartner's Magic Quadrant for MSSPs, SecureWorks has also won SC Magazine's "Best Managed Security Service" award for 2006, 2007, 2008 & 2009.  www.secureworks.com