Earlier this year, the Washington Post wrote an article that likely caught few healthcare chief security officers (CSOs) by surprise, entitled 2015 Is Already the Year of the Health-Care Hack—And It’s Only Going to Get Worse.
The article goes on to mention the Anthem and Premera security breaches from this year, which have already exposed tens of millions of patient records to hackers. CSOs aren’t the only ones paying attention, however. Government and industry regulatory agencies are also keenly aware of healthcare security risks, and are ensuring that healthcare companies take data security seriously by levying more stringent requirements and larger fines for non-compliance.
Healthcare companies, particularly mid-sized enterprises, are feeling the rising pressure of “compliance complexity” as their organizations struggle to balance the challenges of not only HIPAA compliance along with PCI (Payment Card Industry) compliance and other requirements. This challenge is in many ways made even more difficult by the adoption of “third platform” technologies (social, mobile, analytics, and cloud), which finds healthcare organizations increasingly dependent on the efforts of third parties to protect and police their business processes and data.
So what can healthcare companies do to handle this compliance complexity? It begins by understanding that security is not a one-size-fits-all solution. In fact, in my experience as a security consultant, I’ve come to recognize that each company has their own security fingerprint or DNA. Even companies that from outward appearances are very similar can have widely divergent security requirements.
To help healthcare companies map their security DNA, we offer a service at Rolta AdvizeX called the Security Advizer. This is a multi-step engagement that brings together an organization’s security leadership—not just CSOs and risk management teams but leadership in IT, Legal, Finance, and HR—to identify their current security capabilities and where they need to be in the future. Security Advizer answers the most important security questions facing healthcare organizations such as:
- What are our current security capabilities in terms of access control, cryptography, etc.?
- What is our risk tolerance?
- Where are the internal and external vulnerabilities in our system?
- Are our security processes documented and repeatable?
- Is our disaster recovery plan aligned between our security and IT departments?
After we’ve documented a company’s security DNA, we can then define discrete initiatives to implementing changes to improve security, prioritized to address high risk concerns up front. Oftentimes, those changes can involve technology changes that also drive business benefits beyond security. Converged infrastructure is an example of this. We’ve had great success implementing HP ConvergedSystems for healthcare companies as a way of consolidating not only cost but also security risk.
These systems can bring enhanced security capabilities to the table through hardware consolidation and virtualization. Unlike a traditional architectural approach, HP ConvergedSystems allow healthcare agencies to do things like centrally and automatically manage their firewall policies (i.e., no piecemeal policies featuring a mix of old and new rules) or use microsegmentation to create tight zones around specific data and appliations—something that would only have been possible with hundreds of separate firewalls in the past.
Working with HP, we’ve found that healthcare agencies also eliminate one of the biggest weaknesses in their current security armor: vulnerabilities exposed through third parties. The single vendor/system approach reduces finger-pointing and places security in the careful hands of a security leader—one that can assist in your security efforts with preconfigured hardware, advanced security products, and technical services to ensure your data and network are secure.
Compliance complexity and security risks won’t go away on their own. ▪