Healthcare Security and Compliance - Back to the BasicsBy: SecureWorks
SC Magazine recently published an article titled "Are security basics getting lost under the cover of cloud security and mobile security?" (April 2012). The central question the article poses is: "Are we missing the mark on security basics by focusing so much on emerging technologies?"
In the flurry of managing increased use of mobile devices and BYOD (Bring Your Own Device) trends, pursuing big data initiatives surrounding health information exchanges and Accountable Care Organizations, and scrambling to meet the Meaningful Use compliance requirement, it's easy to lose sight of the fact that investing time in implementing simple, effective measures can go a long way toward safeguarding electronic health information data. In the world of infection control, simple measures such as hand washing enforcement have been shown to greatly reduce the risk to hospitals and their patients. This same logic applies to data security management for healthcare security and compliance as well.
Steps to Developing a Robust Healthcare Security Strategy
In recent Dell SecureWorks healthcare security-focused round table events, participants noted that hospitals have difficulty keeping common malware out of their networks, and often try to balance competing incentives due to a lack of perceived risk of breach. But with the implementation of basic controls and measures, healthcare organizations can effectively reduce the majority of their risk. And a critical first step toward this goal is gaining situational awareness - meaning visibility into where data resides, and visibility into what the real risks are that the organization faces. Developing an effective and efficient defense against attacks, from both insiders and outsiders, requires that the organization be aware of where their device endpoints are. Gaining visibility into where data resides is a critical starting point to developing an effective healthcare security strategy, and is also the basis for the completion of a comprehensive risk assessment, required under the Meaningful Use compliance guidelines.
Other areas where investment is necessary include enabling endpoint access security and encryption, developing a monitoring and security mitigation plan, and implementing a mobile device protection strategy. Dell SecureWorks' Counter Threat Unit has shown a clear trend lately, with advanced threats targeting healthcare security systems. Most prevalent malware tools used by sophisticated malware groups affect the healthcare industry at a rate comparable to or greater than its peers in the banking, retail and manufacturing industries. In such an environment, it pays to get "back to the basics" in creating a healthcare security and compliance foundation.