Prevention Is the Best Medicine

0
704

cyber security153651By Mark Lanterman

Excerpted from a new chapter written for the June 2016 quarterly report by Mark Lanterman, Chief Technology Officer at Computer Forensic Services: “The Compliance Officer’s Role in Establishing and Maintaining Cybersecurity,” in The Health Care Compliance Professional’s Manual, published by Wolters Kluwer and HCCA.

Digital compliance in health care is an uphill battle; it takes time to craft effective policy when technology is changing daily.

Cybersecurity is a constantly evolving process that means something different for every organization.  Generally, cybersecurity is a multifaceted term that includes methods to prevent, protect and respond to both internal and external cyber-attacks against a cyber infrastructure, which always includes electronically stored and transferred data. While there are accepted and universal frameworks for cybersecurity, it is often a custom-tailored policy that depends on the needs of an organization’s cyber infrastructure.

Today’s medical technology landscape has left health-related organizations with more to lose. Personal health devices capable of transmitting personal information, such as heart monitors and various other biosensors, allow hackers a variety of possible entry points. In fact, the FDA recently released guidelines for health app developers.[1] Wireless telemedicine systems and other in-office technologies are evolving constantly.

Progress often comes with noise and smoke. These devices evidence a long history of scientific advancement and a narrowing approximation of an ideal—namely, that medical data can be utilized to its fullest potential. Information security has to match this actualization of medical development because the data created is of the utmost value. In practice, each new technology has its own unique uses that add to security and regulatory concerns. The precise details of each could fill volumes.

Fast Paced Auditing

Digital assets vary for every organization, therefore making specific preventive measures hard to define. In general, attack prevention should be consistently audited so that a particular information security policy can be created and carried out within the specific context of an organization. As one general example, outdated and unpatched software applications pose a serious risk. Cyber criminals often target older, outdated software because of its longevity. That is, the longer a piece of software is around, the more time cyber criminals have to develop malware based on an established exploit that will not be, or has not yet been, fixed by the developer.

The IT Team

In many industries, including health care, legacy technology is becoming a serious problem as an avenue for data theft. Furthermore, it is important to understand that many preventive measures can be expensive. An organization’s information technology (IT) team or information security team, however, have a serious leg-up on outside threats—they know where the valuable data is. Thorough knowledge of an organization’s infrastructure is a considerable advantage against outside threats. Consequently, it is worth investing in the people who know most about it—IT. The avenues by which data can fall victim to a remote attack are as innumerable as the unique software and hardware contexts of companies all over the world. Keeping a team that is well-equipped to address the specific context of the organization is key to developing a strong security posture.

Data Access Controls

Another under-analyzed piece of the preventive data security puzzle is data access controls. More simply put, not every employee of an organization should have full access to all data. Even in the case of IT, I typically recommend that they use nonprivileged credentials for daily activities. This is a central step to minimizing risk as it inherently reduces the number of access points for data to leave the confines of an organization’s network. The greater the number of privileged credentials, the greater the risk that these credentials can be compromised and used to elevate an external threat. Accordingly, it is also crucial to consider internal threat in contrast to external hacking threats. For example, a disgruntled employee gains access to sensitive data, steals it, and posts its publicly online. Limiting access to critical data on an as-needed basis can in some cases preemptively eliminate this risk all together. People are a company’s biggest asset and the biggest liability in respect to information security. Awareness and implementation of policy is key to maintaining that “culture of security.”

Digital Security Assessment

Speaking generally, policy is best informed by an audit of all controls to prevent attacks from external and internal threats. There should be a layered approach to information security. In other words, the organization should have a digital fence, but also a locked front door. To determine the relative “health” of the organization’s security posture and inform preventative measures, a digital security assessment is recommended. Such an audit goes beyond simply testing an organization’s network for vulnerabilities. Rather, an assessment allows for a more complete picture of an organization’s security posture—focusing on policy, controls, and procedure and the effectiveness of their implementation. When I conduct security assessments for corporations, I get the sense that tech infrastructure is often a “set it, and forget it” affair. Essentially, digital infrastructure is installed, configured, and then never touched again. In reality, when it comes to issues of information security, the human element of technology is just as, if not more, important than the tech itself.

Lanterman’s Top 10 Security Policy Tips

  1. Educate people about the risks and the demands of the policy.
  2. Take active steps to ensure that the policy is up-to-date and actually responds to your organization’s use of technology.
  3. Take the pulse of your organization’s digital security with the implementation of regularly scheduled audits.
  4. Inform policy through collaboration with legal, IT, and possibly outside vendors.
  5. Know what digital assets need the most protection.
  6. Limit access to only essential users.
  7. Prepare for the worst and have contingency plans in place.
  8. Recognize that breaches also can come from the inside (i.e. a disgruntled employee)
  9. If such an event occurs, don’t be hasty in notifying customers before understanding the scope and severity of the breach.
  10. Protect yourself in vendor contracts (i.e. add audit clauses).

[clickToTweet tweet=”Prevention Is the Best Medicine @theHCCA” quote=”Prevention Is the Best Medicine” theme=”style3″]

[1] http://www.fda.gov/downloads/MedicalDevices/…/UCM263366.pdf.