This article is part two in a series first published in Health Management Technology in the July 2015 issue.
Cybercrime in the healthcare industry is working its way into the headlines on a regular basis. The news is always jarring and disconcerting – and leads to much talk around creating a defensive plan.
THE PROBLEM: Developing a strategic security plan is similar to going to the gym. Many people think about it, acknowledge its importance, but then fail to take action. Getting started and staying the course, however, is a doable task, one that healthcare leaders should zero in on immediately. In fact, in 2014, the FBI called attention to the importance of doing so by sending a warning to healthcare providers that weak cyber security practices were leaving the industry exposed to attacks. According to a report in Reuters, the agency sent a private notice to healthcare companies stating the industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”1
The good news is that getting started on a security plan should be relatively easy, as there are many models available. For example, the following publications can help healthcare leaders kick-start the strategic security planning process:
- “National Institute of Standards and Technology (NIST) Special Publication 800-100 – Information Security Handbook: A Guide for Managers”
- “NIST Special Publication 800-64 – Security Considerations in the Information Systems Development Life Cycle”
- “Federal Communication Commission Cyber Security Planning Guide”
- “Health Information Trust Alliance (HITRUST) Statement on Healthcare Industry Cyber Breach Events” (see the sidebar for more).
THE BAD NEWS IS, even with all this information, many healthcare organizations still tend to sit in idle for far too long. Healthcare organizations often spin their wheels by focusing on calculating the likelihood and impact of incidents, and dwelling on factors such as average rate of occurrence (ARO), annual loss expectancy (ALE), and risk assessments. Instead, healthcare organizations should move quickly beyond these preliminary exercises and actually create a concrete plan of action.
To turn such aspirations into reality, leaders can follow a few simple steps. First, you need to create a strategic security plan and structure that gets the same level of sponsorship and attention that other strategic programs within your organization receive. To get this high-level buy-in, it’s important to realize that information security strategic planning needs to be in sync with greater organizational plans. As such, the strategic security plan needs to support the achievement of broader goals and be recognized as something that adds value to your organization and customers – not simply as a cost or risk management item.
IN ADDITION, a strategic security plan requires a clear mission, goals, and objectives. More specifically, your organization needs a plan for achieving security goals and a means to objectively measure your progress toward them. In addition, good structure and governance are important so that your plan does not get created and then shelved without receiving the ongoing reviews, revisions, and updates that circumstances require.
Even though there is not a single definitive list of items that your strategic security plan needs, it’s important to ensure that it addresses:
- Governance and structure: Who’s responsible for what and how it all works together
- Compliance with established required regulations: A description of the specific areas that constituents are required to address, and an explanation of how the plan maps to and supports established industry requirements.
- Data loss prevention: The how and why behind data protection standards.
- Access protection: Detailed standards that provide the right people with the right level of access, ensuring that key staff get access to what they need to properly treat patients.
- Awareness and training: Support for a culture that is imminently aware of the importance of the protection of information systems and security, and one that continually develops training for employees and vendors.
- Security planning and risk assessment: Processes, plans, procedures, and standards that support security planning. For instance, a healthcare organization’s risk management program, risk assessment frequency, and updates, as well as security assessments, standards, and documentation, must all support the planning and assessment process.
- Contingency planning: Standards, plans, and processes for impact analysis, controls, recovery strategies, planning, and testing must exist as part of your organization’s comprehensive contingency planning.
- Situational awareness: Standards, processes, and implementation of technology that supports the monitoring and alerts of any and all exposure.
- Incident response: Standards that meet the preparation, identification, containment, eradication, and recovery from identified incidents.
- Organizational standards and proceures: Standards and requirements of the organization that address change management, product acquisition, vendor selection, integration, interconnecting new systems, configuration management, etc.
While all of these items are important, it’s most imperative to strive to develop a clear, easily understood plan. A clear plan that is in sync with the organization’s overall goals and that receives a high level of commitment from leadership will always be more sustainable than a complex detailed plan that becomes burdensome to all.
After developing such a plan, leaders then need to turn their attention to ensuring that their organizations are consistently following the specifics set out in the document – or walking the walk, per se.
Part three of this ongoing series on security issues will focus on how your healthcare organization can fight cybercrime by optimally implementing strategic security plans.
Reference
HITRUST: Key security initiatives
By Ron Ropp and Becky Quammen
The Health Information Trust Alliance (HITRUST) encourages organizations of all types and sizes to ensure they are implementing and adopting these four key activities:
- Leverage the HITRUST Cyber Threat XChange: This service feeds threat intelligence information directly into an organization’s SIEM systems and allows automatic and instantaneous response.
- Adopt a strong controls framework: The framework should embody the elements of the NIST Cybersecurity framework. The HITRUST CSF Framework incorporates the NIST Cybersecurity Framework and provides industry-specific implementation controls and guidance.
- Participate in cyber preparedness and response exercises: The nationwide HITRUST CyberRX 2.0 exercises and educational town halls are an invaluable resource for organizations to leverage for cyber preparedness and response exercises.
- Understand the threats in your environment: Leverage a deep discovery tool or other analysis service to better determine if cyber threats are present or if evidence of a prior breach is evident.
$750,000 HIPAA settlement emphasizes the importance of device control policies
Cancer Care Group agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.
Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.
On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information – and clinical information of approximately 55,000 current and former Cancer Care patients.
OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.
OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted back-up media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” says OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”
Cancer Care has taken corrective action with regard to the specific requirements of the privacy and security rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA rules.
The Resolution Agreement and Corrective Action Plan (CAP) can be found on the OCR website at hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare.html