Loads of GRC Relating to Data Security…
The healthcare industry is subject to extensive governance, risk and compliance (“CRC”) mandates. The Health Information Portability and Accountability Act (“HIPAA”) was enacted in 1996 in order to protect patient healthcare records. In 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted to strengthen data security for electronic Protected Health Information (“ePHI”). In 2013, U.S. Department of Health and Human Services (HHS) issued a final Omnibus Rule to implement several provisions of HITECH, and HHS conducts routine audits of HIPAA-covered entities to ensure compliance.
…Doesn’t Necessarily Lead to Actual “Data Security”
Despite all these laws and regulation, the healthcare industry continues to be a top target for hackers. Three of the top seven cyberattacks in 2015 involved entities in the healthcare industry. A group of self-identified hackers attending a 2015 Black Hat conference “considered healthcare be the ripest target for breach vulnerability.” A recent data breach incident response report from a top law firm found that its healthcare clients were targeted more than clients in any other industry.
Why is the Healthcare Industry a Target for Hackers?
Healthcare organizations are attractive targets because more and more confidential information is stored electronically, and the stored information—i.e., patients’ personally identifiable information (“PII”), health insurance, and general health information—has tremendous value that hackers can monetize. And frankly, healthcare organizations have been slow to adopt the needed levels of data security because many are focused primarily on providing quality patient care.
So What Should Healthcare Organizations Do?
A lot of so-called data security experts have tried to inject fear, such as describing data breaches as the “new norm.” And these same data security experts create new terminology, usually with the term “cyber” contained somewhere within the new term, such as the now familiar “cybersecurity.” More recently, a so-called data security expert used the term “cyber resilience” in this context: “Business executives must develop cyber resilience programs that encompass the ideas of defense and prevention.”
Please do not succumb to the scare tactics, and feel free to ignore the wordsmiths out there creating new “cyber” terms. Be smart about the process and start by getting back to the basics. U.S. federal regulators have deemed the best data security strategy to have several different security methods deployed in a layered manner. A layered approach reduces the likelihood that an attack will succeed by forcing the attacker to penetrate multiple security measures deployed at different layers of the network.
Many healthcare organizations devote too much of their data security budget to perimeter protection, and not enough to internal controls and monitoring that can happen before a breach occurs. In an atmosphere of fear and uncertainty, I can understand why one might focus too much on building up perimeter defenses. But remember, most of the latest data shows that increased spending on the perimeter has done little to slow the frequency/scope of data breaches.
To create a layered approach, deploy processes that identify and mitigate internal vulnerabilities, recognize anomalous user behavior, and implement programs that regularly monitor the processes you have created to deal with data security threats. bTrade’s TDXchange has functionality that would help in that regard, including end-to-end message tracking, reporting, and real-time alerts. It has fully operational monitoring features in the GUI and a set of dashboards that enable real-time monitoring of file transfers, both textually and graphically. Also, dashboards permit users to track key data (messages, transactions, participants, mailboxes, certificates, services, connections, etc.).