Taking Control of Healthcare Threats from the Inside

Over the past several months there have been several reports showing that healthcare breaches are not just an external problem to tackle. Internal threats are real and growing, playing an increasing role in how HDOs and EHRs assess and address digital security.

All threats are concerning, no matter what the scale. Whether it’s hacking patient data, infiltrating hospital operations, or medical device takeovers, HDOs must take preventative action that’s ‘always on.’ The good news is that there are steps you can take today to prevent the problem from expanding. Aligning security investments with well-thought-out processes, education and governance is a great formula for doing all you can to prevent attacks from within.

With the growth in digital technology use, restricted budgets and governance, and stretched resources, HDOs are often challenged to find the time, money and staff to optimize their digital security investments. While thefts like stealing a laptop or hijacking credentials to obtain important data are generally driven by financial opportunities, sometimes a threat can come from an employee who just makes a mistake. No matter how it happens, breaches are damaging to an HDO’s reputation and bottom line.

You’ve likely made investments in the right technology to combat these issues. But it’s always a good time to audit and ensure that you’re doing more than the minimum – and that ongoing management and governance is not only in place, but is working.

Authentication, authorization and encryption are the lifeblood of successful digital identity security. Unique digital certificates validate that a device is authentic and assert with high assurance that its messages are genuine. Encryption is digital security 101 to keep bad guys out of good data.

But encrypting data is one step of many to drive comprehensive security. Encryption needs to be supported by key management. IT often focuses on the quality of the encryption and the algorithms used, but may not pay enough attention to the keys themselves. Successful key management is a combination of managing it all – products, policies, auditing and staff who know what to be looking for.

Manual processes are prone to errors. Automation drives high-assurance and provides peace of mind that you won’t let digital security certificates expire. It allows for redeployment of what’s likely a small team, and lets you take on other important IT initiatives.  Workflows become refined and execution gets easier. When you’re taking proactive measures through automation, you can reduce the risk of security breaches from both internal staff and external actors.

It’s likely that you’re using an electronic health record (EHR) system to gather, share and maintain patient data. As EHRs develop apps for use, the software needs to be signed before it is deployed. Code-signing certificates are some of the most valuable to cybercriminals. Someone that possesses a signing certificate can use that certificate to sign malware and easily distribute it on large hospital networks. It is essential to securely manage these signing certificates before they are turned against you.

People, devices, apps – all are part of your ecosystem that must be covered by your digital security program. Many HDOs are bound by budget and believe they have to make hard decisions on which identities to cover. Gaps = an opportunity for a breach. Investing in coverage that doesn’t use a per-cert fee model can help quell budget concerns and ensure that every new identity that enters your environment is digitally secure.

Despite complexities of compliance and what are often disparate requests for discipline, healthcare regulatory agencies really do exist to drive excellence. By following guidelines and industry expectations, you should be reducing risk both inside and outside your organization. Regular cadences and audits on log files, pending digital certificate expirations, personnel changes and regulatory updates help detect issues and can provide the runway you need to prevent catastrophe.

Ensuring your staff are compliant is more than a full-time job. But the consequences for missing the goal are just too great to not make the investment.

After all those solid rules and regulations are in place, you must train people to pay attention to them. If you’re fortunate enough to have a department or staff focused on L&D, get them to drive a dedicated program that requires the entire organization to be compliant.

Incorporate a meaningful cadence for reiteration of the message. Once a year may be enough; certainly engaging new staff as they come onboard is imperative.

Looking for more guidance? Download a copy of our new e-book, “Your Playbook for Driving Digital Security in Healthcare:”