How one health care provider learned that compliance does not equal security

Health care compliance and securityWhich causes business leaders to buy into an IT security assessment quicker: ransomware or a data breach?

Both.

Unfortunately, that’s just the situation a regional health care provider network faced a few years ago. Although the IT staff knew a review of the security of the network and file server was overdue, the C-suite remained focused on existing HIPAA compliance guidelines.

That’s when a ransomware attack hit, resulting in a data breach. A user simply clicked on a popup, ransomware was then installed on the machine, and health care records stored on the user’s hard drive were compromised.

After the breach was fixed and the damage assessed, management realized many questions needed answering: Why did this attack happen? What should be IT’s first step in protecting data? What data should be secured? How could the organization balance compliance and security to stop attacks in the future? Continue Reading…

Tags: , , ,

The ailments and issues that health care IT professionals are most concerned about

health care ITThe operating room is the convergence of intelligence and technology. The computers, devices, and software that make up the operating room and your doctor’s office, as well as the latest trends in health care, were on full display at HIMSS 2016 in Las Vegas earlier this month. This year’s conference was attended by more than 45,000 health care IT professionals who were ready, willing, and eager to learn how to collaborate better and improve patient care through IT solutions.

Throughout the conference I met with people from all areas of health care — from providers to payers to vendors. Here are three key takeaways. Continue Reading…

Tags: , , ,

Why it’s time to rethink what drives your IT security program

intrusion prevention system (IPS)In the past, IT security was like insurance, viewed as an expense, not a revenue generator. That perception left IT with minimal dollars allocated to securing networks, data, and other assets. But with the increase in threats, ranging from malware to data and identity theft, security has become a priority for all organizations.

Over the past three decades, businesses have developed structured security programs as federal and industry regulations became more prevalent. The Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and Payment Card Industry Data Security Standard (PCI DSS) are some of the well-known guidelines that have advanced compliance-based security.

But regardless of the industry guidelines, both compliance controls and the threat landscape have evolved, introducing a new requirement to address: risk. Security can no longer simply check the box of compliance as it could in the past. Risk is the new basis for every effective IT security program. Continue Reading…

Tags: , , ,

Tackling security vulnerabilities in health care

health care data securityNetwork security is critical for any organization, but in the health care space, with the personal and medical details of millions of individuals in the balance, the stakes are even higher. Out-of-date software, unimplemented patches, or even outdated passwords could be the vulnerability that exposes the sensitive information of an innocent and unsuspecting patient base. Two recent security breaches suffered by prominent U.S. health insurers highlight these vulnerabilities.

In February, Anthem Inc., the second-largest health insurer in the U.S, revealed that a previously-disclosed hacker attack compromised the health care records of as many as 80 million individuals. A few weeks later, Premera Blue Cross reported that the personal, bank, and health data of an estimated 11 million individuals was exposed when hackers penetrated its system in a similar assault.

These two high-profile security breaches have intensified the spotlight on data security, and raised several important questions for health care organizations (what HIPAA calls “connected entities”) and groups that provide supporting services to health care entities (called “business associates”). These groups should be asking the following questions: Continue Reading…

Tags: , , , , , , ,