Oregon Healthcare News
orhcnews.com
Articles, Jobs and Consultants for the Healthcare Professional

Evaluating Health Care IT Security: A Holistic Approach


Kevin Villanueva, Director, IT Auditing & Consulting Practice, Moss Adams LLP By Kevin Villanueva
Director, IT Auditing & Consulting Practice
Moss Adams LLP


See all this Month's Articles

Original Publish Date: August 9, 2016

In today’s increasingly complex technology and security landscape, data breaches and hacking attempts no longer impact just a few unlucky organizations. And because the data they hold is lucrative, health care organizations are among hackers’ favorite targets.

The pace of innovation coupled with the rise of the Internet of Things (IoT) and rapid adoption of connected devices has increased the risk for network vulnerabilities, making every organization susceptible to attacks. Examples range from a Los Angeles–based health care system that had its electronic medical records held hostage as a result of a ransomware attack to a breach in customer credit card information for a major national retailer.

This new reality not only impacts chief information officers and IT-team operations but can also have a significant impact on an organization’s bottom line, making IT security a new mandate for CFOs. In fact, the Governance of Cybersecurity: 2015 Report revealed a sizeable uptick in the attention executives and boards are paying to cybersecurity risk management.

Health care is especially vulnerable to attacks given the multitude and array of potential attack vectors, including wireless networks for drug infusion pumps, plasma refrigerator monitoring systems, and other IoT-connected devices. Health care IT departments need to secure systems not only on their corporate network but also on the clinical side, where these nontraditional computing devices are involved. Balancing accessibility to patient data with privacy and data security requirements—especially those associated with protected health information, or ePHI—only adds to the challenge.

The HIPAA Security Rule makes regular risk assessments a necessary and required undertaking for HIPAA compliance. But at a broader level, it’s also become clear to today’s executives that they can no longer afford to gamble and wait when it comes to IT security. CFOs and fellow C-suite executives must view cyberthreats holistically, as a broader enterprise risk, and undertake regular IT security assessments—a comprehensive review of administrative, technical, and physical security. These assessments review whether the necessary safeguards and protocols are in place to protect not only the organization but also its employees, customers, and partners in the event of a data breach.

Building a Competitive Advantage

Across industries, third-party verification of IT security has become significant to the procurement process, and businesses can lose out on potential work if they don’t have the proper assessments in place. Many organizations have stringent security requirements any time personal or sensitive information needs to be exchanged or shared across organizations, and it’s often a key part of the request-for-proposal process.

This is especially true for industries with strong compliance regimes, such as the Health Insurance Portability and Accountability Act in health care or the Payment Card Industry Security Standards Council’s Data Security Standard (PCI DSS), which applies to all companies that process, store, or transmit payment card information.

Organizations that deal with sensitive information want assurance from business partners that their data will be secured and protected from theft or inadvertent exposure. Covered entities in particular may choose not to partner with business associates whose data security controls haven’t been reviewed and validated by a third-party security consultancy. As a result, business associate organizations who can’t provide proof of a third-party review of their security controls may be missing out on additional revenue opportunities.

Removing the Blinders

Many companies focus solely on external threats and network breaches, but this narrow focus can blind organizations to equally serious internal threats. Health care organizations in particular must evaluate and install protocols for potential threats stemming from anyone who has access to the network, such as employees, vendors, temporary workers, or consultants. Physical security threats, such as malicious individuals gaining access to sensitive network hardware in the building—or to laptops, tablets, phones, and other devices that may leave the organization’s four walls—must be accounted for as well.

Even the best-secured organizations are vulnerable to a data breach, and it’s important to have an incident response plan in place that outlines how the organization will respond in the event of a possible threat. Too many companies uncover the need for response planning only once a breach has occurred. IT security assessments uncover the weaknesses in incident response planning too.

Finally, while it’s important for health care organizations to review their own IT security posture, their business partners are another critical component. Health care entities should require and ensure their business associates are also undergoing IT security assessments, especially if they handle PHI on the organization’s behalf.

Undergoing an Assessment

In an IT security assessment, auditors work with an organization to identify network and system vulnerabilities, deficiencies in security policies and procedures, and weaknesses in physical security controls. They also uncover the need for security awareness training.

The assessment examines key areas of the network, including architecture, network perimeter protection, server and workstation management, and other operational aspects of the IT environment. Ultimately, the assessment enables organizations to implement changes that strengthen the entire company, from critical data confidentiality, integrity, and availability to employee safety.

The first step in an IT security assessment is hosting the audit team on-site. Auditors observe the organization in its native space and understand how employees interact with sensitive data and operate from day to day, which helps them identify potential threats and risks to the data. From there, auditors recommend possible improvements in technology implementation, policy, and protocol. Prior to this visit, companies should expect to receive a documentation request list, which may include requests for copies of network diagrams, existing policies, and screenshots of system settings, among others.

Areas IT security auditors typically examine include:

Penetration testing is one common method IT security auditors use to identify an organization’s resilience. Penetration testing can be performed as a stand-alone service or as part of a comprehensive IT security assessment. The objective is to identify the weaknesses in an organization’s networks and systems so that the organization can address the issues before the “bad guys” exploit them. Depending on the size and complexity of the IT environment and operations, organizations undergoing an IT security assessment can expect the project to take an average of two to three months.

Refreshing the Assessment

It’s short-sighted to assume going through the motions of an IT security assessment is enough. Too many health care organizations don’t establish a regular cadence for assessments. Instead, they opt to undergo an assessment only to check the “completed” box as part of an overall HIPAA compliance strategy, once a threat is detected, or when it’s prompted by the all-too-frequent news stories of data breaches and hacking attempts.

At a minimum, organizations should plan for an annual assessment, but they should also consider undergoing an assessment when changes to the IT environment impact network and system protections, such as introducing a new Web application servers or merging with another entity. The departure of key IT personnel, a potentially disgruntled employee, or anyone with high-level access to the network should also prompt an assessment.

Next Steps

Today, nearly all business and financial operations are driven by technology, making IT systems central to an organization’s sustainability and bottom line. As the rapid pace of innovation continues, health care organizations—and their upper management in particular—need to acknowledge the significant risks cybersecurity issues can pose and take the necessary precautions to mitigate potential harm to their overall security and health. The current reactive mindset must change to a more proactive one, ensuring health care organizations, and by extension, their employees, patients, and partners, remain protected.

To learn more about how an IT security assessment can help strengthen your organization’s security posture, visit http://www.mossadams.com/IT.

Kevin Villanueva has been in in the information technology field since 1997. His areas of practice include IT security assessments, penetration testing, PCI Data Security Standard assessments, HIPAA compliance auditing, and strategic technology planning. He can be reached at (206) 302-6542 or kevin.villanueva@mossadams.com.