There isn’t a single solution on the market that can ensure absolute data security for every scenario a healthcare organization faces. The solution always has been (and will continue to be) an in-depth defense model that is based on the requirements of the law, threats facing the business, and risk appetite. It has been said before that complexity is the enemy of security - so we offer you 6 practical steps that will help your organization be more secure.
- Perform an actual risk analysis - The first step towards HIPAA compliance is a Security Risk Analysis. Make sure you are receiving an actual risk analysis and not a vulnerability assessment that has been passed off as a risk assessment.
- Track down all instances of patient data - Often unintentionally, repositories of patient data can accumulate in less than ideal locations (i.e. network scan folders, employee desktops, etc). In order to properly protect patient data, healthcare organizations must first identify all locations of patient data. This is the first step in a security risk assessment.
- Keep all systems patched and updated - Unpatched operating systems and network devices often represent significant risk to healthcare organizations. It is imperative that all systems are regularly patched and that patches are validated with on a quarterly basis as part of a comprehensive vulnerability management program. If your practice doesn’t have a team to do this, consider outsourcing to a reputable partner.
- Have a plan for removal of outdated systems - All healthcare organizations should consider the unique risks that outdated systems (hardware and software) pose to their environment. Before systems reach end-of-life, healthcare organizations should develop a plan for migrating critical functionalities from unsupported systems to supported solutions.
- Security budgets need to increase - Attackers are spending more time, money, and resources to gain access to patient data and other sensitive information. To keep up, healthcare organizations must allocate more funds to their security budgets and begin to leverage new technologies such as Next-Gen AV, EDR, and UEBA.
- Develop a formal security program – Design and implementation of a robust information security program often requires substantial investment of time and resources. Due to increased regulatory burdens and ever-changing threat landscape, healthcare organizations need to enlist the services of a qualified information security professional to develop a comprehensive program.