Category: IT Security Assessment

“Healthcare as an industry has not taken seriously security in the past, to the extent that other kinds of industries have taken security and privacy, and has not bothered to put those security components into place that would protect the privacy of that information,” says Kibbe in an interview with Information Security Media Group. “They are trying to play catch-up now, very desperately.”

Recent breaches in the healthcare sector, such as the cyber attack on Anthem Inc., which impacted nearly 80 million individuals, show that “information is in these giant repositories, and is quite vulnerable to the bad guys breaking into that information and making use of it,” he says.

“It’s worse in healthcare than it is in other industries that have hardened their security practices as a result of these hacks,” he says. “We’re starting to see healthcare institutions and organizations being hacked because they’re easier targets.”

Kibbe recently testified at a Senate Committee on Health, Education, Labor and Pensions hearing about the state of secure information exchange in the healthcare sector, which is often hindered by intentional “information blocking” (see How to Unblock Secure Info Exchange) .

That includes information blocking caused by interoperability issues between electronic health record systems from different vendors, as well as situations in which healthcare providers incorrectly use the HIPAA privacy rule as an excuse for refusing to share patient information with other healthcare entities.

There are several important steps that healthcare entities can take to improve the overall protection of health data, as well as safeguard patient information that’s being exchanged with others, Kibbe says. That includes implementing strong encryption for data at rest and in transit; using multi-factor authentication; and building much better awareness of security and privacy throughout the healthcare sector.

Healthcare entities need “to take privacy and security very, very seriously beyond their own enterprises,” he urges. “We now live in a world where health information, as well as other personal information, exists in the cloud and people need to be very wary. They can put moats around their own information resources, servers, but you have to think about everybody else’s servers at the same time.”

In the interview, Kibbe also discusses:

The security and privacy challenges faced by health information exchange organizations that handle and store large volumes of patient data;
A progress update on the use of Direct secure messaging in the healthcare sector;
DirectTrust’s plans to unveil in 2016 Direct-based secure texting and “chats” for use on mobile devices, such as smartphones, in the healthcare sector.
Kibbe, a physician, is founding president and CEO of DirectTrust, a nonprofit alliance that created and maintains the security and trust framework for using the Direct Project for secure e-mail in the healthcare sector. He is also senior adviser to the American Academy of Family Physicians. Kibbe in 2014 was named a top 10 Healthcare Information Security influencer by Information Security Media Group.

This article was published in August 14, 2015 edition of DataBreach Today.

Preparing for a data breach incident
1. Make a disaster recovery plan that details very specific steps for what to do and what each employee’s exact responsibilities are if a data breach occurs. From an IT perspective, ascertain what type of breach it is (virus related, private data accessed or other malicious activity) and develop very concise steps to take to address each type of instance. Have multiple data restoration options available and test them regularly for reliability. Build contact lists of vendors and key response personnel and create a business continuity plan in the event that your IT systems are rendered unusable. Your IT group should also document baseline configurations so as to use them for comparison purposes.

2. Test and work the plan on a regular basis in an effort to better train your key personnel and to keep your disaster recovery plan updated with your ever-changing office environment. Incident preparedness training ensures that all company personnel are ready to handle data breaches before they occur. Training should include employee awareness for all of the overall security plan and the related response measures so that they help rather than hinder the recovery process.

3. Commit the proper amount of resources to prevent an attack. And this means committing monetary resources on an annual basis to proactively address security issues. It is much less costly to be proactive than to be reactive. The “It won’t happen to me” security approach is a recipe for disaster.

4. Consider data breach insurance which will help offset much of the cost of a data breach incident. These plans are not new and should become a staple item when reviewing annual insurance coverages.

There are many pieces of your business computer system and you may not be aware of where security weaknesses may be hiding. IT often becomes an afterthought or something that a business owner does not want to think about, much less worry about. But, like a business vehicle, your IT system needs regular attention if you expect it to work when you need it.

The major items covered in an IT Assessment:
Data backups-Are they automated? / Do they happen consistently and reliably? / Is there a layered approach with multiple options for restoration?
Disaster recovery – Is there a plan to quickly restore computers, servers, and even your entire network in the event of a catastrophe?
Front-line Internet protection-Does your network’s firewall have the latest security patches? / Are there open windows from the outside into your network? / Is the firewall unit a business-class device? / Are you relying on the firewall functions of your Internet modem?
Anti-malware protection-One of the most effective ways for hackers to gain access is lax, expired or total lack of security software.
Remote access to your internal network-Does your office utilize a wireless guest network or do you give visitors direct access onto your corporate LAN? / Is your employees’ remote access secure? / Do you opt for convenience over security?
Privacy policies-Are your employees educated on best practices for protecting your customer data? / Is there an Internet and computer usage policy? / Are field computing devices using encryption?
Data breaches and IT security threats are becoming more prevalent. The longer that you wait to address your IT weaknesses; the more likely it is to become a problem.