The data security measures medical providers should be implementing to protect PHI (Private Health Information) from cyber-attack
In a previous post, we talked about how the healthcare sector is one of the most vulnerable against data breaches and cyber attacks. Precisely due to the sensitive nature of the data that hospitals and other medical enterprises store, and the harm that can be caused by stealing that data, every organization in the field is asked to comply with a set of rules. These rules are set out in the Health Insurance Portability and Accountability Act otherwise known as HIPAA.
Companies that store or transmit confidential Private Health Information (PHI) face potentially hefty fines for violating the provisions for security and data governance.
Since the requirements can refer to complex issues of network security, healthcare providers that aren't large enough to maintain a dedicated cyber security staff are well advised to contract with a company that specializes in HIPAA compliance auditing to ensure they are correctly touching all the bases. Here are some of the rules that healthcare organizations are asked to follow with regard to network security and data privacy:
Security reminders
Holders of PHI should ensure that they are providing periodic security updates to their employees. This may include security awareness training for employees, notices or agenda items in periodic staff meetings.
Protection from malware
In recent years, malicious software has entered the network through certain types of email links or attachments or through files being downloaded and executed by clicking links on web pages. Another related threat is credential theft through email phishing attacks.
To protect against problems caused by these traditional attacks, common defensive measures have shown to be reasonably effective, including:
-Enterprise anti-malware software running on every computer.
-A modern enterprise-grade firewall between your office and the internet.
-An email service that offers encryption, archiving and filters for phishing and malware.
-Encryption for data at rest and in transit.
-A reliable and secure backup of data and access logs/security event logs.
-Patching of OS, 3rd party apps, drivers, BIOS and firmware, including network devices.
-Dual/Multi-Factor authentication (MFA).
-User security awareness training.
-USB and network port monitoring/blocking.
-Use only US based contractors and datacenters and ensure they are meeting internal security standards.
-Processes and mechanisms to confirm and document that all of the above.
Unfortunately, just as it is with biological viruses, new threats are evolving in cyber-space. In recent months we have seen a sharp increase in file-less and polymorphic attacks that are increasingly difficult to detect and eradicate - effectively becoming resistant to our treatments - and are, as you might guess, these so called advanced persistent threats like 'emotet' and 'trickbot' that are currently plaguing the banking industry are predicted to spread in coming months.
Since these exploits have been designed specifically to penetrate networks with existing protection methods, medical providers should expect to soon be receiving recommendations for next-gen protection services to mitigate today's advanced threats, like:
-Real-time monitoring and analysis of security event logs and/or network packets powered by machine learning for fast filtering and response.
-Data-Centric/File-Level rights management to securely transmit sensitive files and health information.
-Automated password management with bio-metrics where software handles both resetting, and entering passwords securely, all you do is provide some combination of finger scanning and/or facial recognition to gain access to your apps and data.
-Automated privileged account management software to remove local admin rights from workstations when not needed. Policy or self-service mechanisms allow and log temporary access on request.
Aside from allowing for relative ease of compliance auditing due to automated software based collection and reporting tools, these new solutions will provide additional layers of actual protection help keep us safe from the cost of cyber-attacks.