make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

How to avoid healthcare data catastrophes: Breach prevention

09/15/2014  |  By: Jason Riddle, CISSP, President, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

As featured in Health IT Security.

The healthcare industry is in the middle of a revolutionary shift toward widespread utilization of electronic health records (EHRs). This change has made it easier than ever for patients and providers to capture, analyze, interpret, and share health data. And the rising importance of electronic data in healthcare also means that data security has never been more important.

From HIPAA/HITECH privacy and security rules to patient privacy, safety, and trust implications, the consequences of security breaches in healthcare can be catastrophic. So how can healthcare providers prevent, detect, and respond to data security breaches effectively?

Prevention for providers

Prevention is as much about training and awareness as it is technology. Today, many attempts to obtain private data come through social engineering tactics – emails that convincingly emulate internal communications.

Other strategies include customer service callers pretending to be an authorized user, and trying to get login information out of a representative, and even direct thefts from data warehouses with lax in-person security.

To this end, it’s essential that healthcare organizations train their teams to be on the look out for these tactics – and to be aware of unusual computer activity. Slow network connections or a sudden inability to log in may be signs of network intrusions, and staff should know how to report them. Today, effective security requires effort and awareness on the part of everyone, not just IT teams.

Detection strategy

The next step is to formulate an overall security strategy that doesn’t overemphasize prevention.

Why? It might seem counterintuitive, but the fact is that intrusion techniques and technologies are constantly evolving. Some organizations throw all of their energy into trying to keep up, and then don’t give much thought to how they’d respond if their prevention measures failed. So when their data is breached, they’re at a loss for what to do – if they’ve detected the breach in the first place.

Remember, most data theft is surreptitious by design, conducted in such a way that organizations might not notice it even once it has occurred. For this reason, it’s important to develop a detection strategy—and a set of practices to follow.

Human monitoring, whether by an internal IT team or a third party, is the best way to detect and interpret anomalies on a network. High network traffic at odd hours, for example, or unusual numbers of failed login attempts are key indicators. These are the kinds of red flags that security experts can use to contextualize the event, evaluate impact, and follow up on in response.

Responding to breaches

How, then, should providers respond to security breaches in healthcare?

First, it’s important to contain the situation immediately. Depending on the situation, it may be appropriate to disconnect affected machines from the network, or to leave them connected and observe their activities to better understand the nature and scope of the incident. If your organization does not have the in-house expertise to evaluate and select the appropriate response, you should strongly consider engaging an outside resource that specializes in computer incident response and forensics.

For most breaches, organizations will have an obligation to report the data exposure to both consumers and regulators. The incident may result in fines or other penalties, so the organization needs to make sure their legal team is kept up to date on the overall incident, and any follow-on actions.

Above all, companies in this position should be direct, clear, and responsive about what has happened, while identifying how the breach occurred, removing any malicious software or means of unauthorized access, and returning to normal operations. Once the situation has passed, companies can reassure users that the network is back to normal and revisit their security strategy to ensure that it is revised in light of the incident.

A comprehensive plan

Security breaches in healthcare can be disastrous, but if organizations have a comprehensive plan – covering not only prevention but also detection and response – they will be equipped to better protect both themselves and their patients. And if catastrophe does strike, they will be ready to respond effectively, getting back to the business of care as quickly as possible.

Jason Riddle is Practice Leader at LBMC Information Security where he helps defend his clients’ networks. He has more than 15 years of experience working both as a consultant, advising commercial & government clients, and as a corporate information security officer for a financial services organization. His core areas of expertise are technology infrastructure, security & compliance, electronic payments, and developing processes to defend networks and systems against today’s advanced threats.

Publication

Health IT Security