Knowing what you don't know is the first step to healthcare data breach prevention. Working the steps of a risk assessment to customize your security plan is the first step to enlightenment and locking down a network environment.
That was the first piece of advice that Suzanne Widup, senior analyst on Verizon's RISK Team and researcher for the company's sixth annual 2013 Data Breach Investigations Report, offered to healthcare CIOs and information security leaders. The second was this: Keep system and security patches up to date, keep a log of this update activity and don't delete that documentation after a set period, such as 90 days.
"If you look at some of the time frames on how long, on average, it takes an organization to detect a breach, it's in the 'months' range," Widup said, adding that many healthcare organizations don't keep their logs for that long.
"The logs, of course, are key in determining what the scope of the breach was, where the attackers were able to get in, and how far they got through the organization. If you can't go far enough back to recreate what happened, it's really difficult to mitigate what they did to your system and be sure they're not just going to come back."
Based on her knowledge of year-to-year numbers of breach reports and their nature -- where the leaks were, who committed the breaches -- in combination with such new regulations as the HIPAA omnibus rule going into effect later this year, Widup suggested CIOs hardwire some of these ideas into their risk assessments:
- Focus your risk assessment on financial data, too. While HIPAA might put a premium on health data security compliance, as of this time, credit card and Social Security numbers are actually more valuable to data thieves. That might change over time, but for now, hackers find financial data more rewarding.
- Know where your data is going. Track the flow of health data through the various devices on your network, including laptops and thumb drives. This is where the most healthcare organizations are presently losing the battle and finding their names in local media and on the U.S. Department of Health and Human Services' "wall of shame." Add in cloud providers, downloadable databases posted online, HIPAA business associates and anywhere else patient data might reside.
- Bake security requirements into the business associate agreements you're revising for the HIPAA omnibus rule, if you haven't already.
- Sort your business associates by size of risk, and check on the biggest ones first. It might be impossible to investigate the physical controls and data encryption practices of every last business associate, but Widup said a good risk assessment will take into account which business associates handle the most patient health data and financial data first, and work down the list.
- Make someone in your organization directly responsible for information security; if it's spread among too many people, Widup said, no one is actually responsible. That person, she said, shouldn't work in a vacuum; he should immediately begin networking with other peers in healthcare -- and even other industries -- to share perspectives, best practices and horror stories.
- Work to terminate as soon as possible the network credentials of workers who leave the organization. Widup said that's one lesson healthcare can learn now that other sectors, such as financial services, learned "the hard way." Login IDs and passwords are hot commodities bought and sold on the black market, another vulnerability to list high on risk assessments of healthcare organizations that haven't already implemented identity management systems.