Assess Your Risk While the challenges in healthcare
are daunting, there are several mobile security steps your organization should take to ensure it isn’t an easy target for a data breach. The first is to ensure you are assessing and managing risk effectively. For example, Beaufort Memorial
Hospital in South Carolina hires an outside vendor to conduct an independent risk assessment and security audit annually. The hospital also conducts its own internal assessments every quarter. During these audits, VP of Information Services and CIO Ed Ricks and his team review the hospital’s security systems and practices from an ISO standards perspective. They also take HIPAA regulations and their own internal policies into account. Through this exercise, Beaufort is able to identify its security vulnerabilities and the severity of each. “Truly understanding your risk is
the first step to improving security,” says Ricks. “We know we have vulnerabilities, but we’re not afraid to face this reality. In the end, it gives us the knowledge and power to strengthen our overall security position.” Many of Beaufort’s most notable
mobile security initiatives to date were a direct result of the risk assessments it conducted. For example, these audits alerted the provider to several unencrypted drives on corporate laptops and other mobile devices. In response, Beaufort invested in mobile encryption technology and reinforced its policies regarding this practice. Similarly, risk assessments made the hospital aware of security issues resulting from clinicians ineffectively managing multiple system passwords. In response, Beaufort implemented a single-sign on solution that allows clinicians to use one intricate password to access all hospital systems — even from mobile devices. A secure texting solution was another investment spurred by a risk assessment that enlightened Beaufort to the dangers of uncontrolled text messaging in a clinical environment.
Focus on the PHI, Not the Device The security steps taken by Beaufort
Memorial are fundamental practices every provider should consider when leveraging mobile devices. These include (but aren’t limited to) enforcing password/ lock screen protection on all smartphones and tablets used to access PHI, providing IT personnel with the ability to remotely wipe mobile devices in use at a healthcare facility, effective inventory management of the mobile devices accessing a healthcare network, and sound mobile antivirus and malware protection. As important as these steps are,
it’s equally important to realize that simply trying to cobble together a bunch of one-off technology solutions to address these needs will not provide you with a secure mobile environment. Moreover, the added element of mobility to the healthcare ecosystem has led many providers to mistakenly focus their mobile security efforts on the devices as opposed to where it actually belongs — the PHI itself. A mobile health security initiative needs to be treated as part of the overall enterprise security strategy and administered in a fashion similar to the rest of the infrastructure. A mobile device should be viewed as just another endpoint on the network. “Healthcare security departments
that focus on the security of individual mobile devices are actually spending a huge amount of time and money chasing a very small problem,” says
Kadrich. “The reason I say it’s a small problem is because if they have security in depth, the fact that one tablet is trying to access 10,000 records should raise a big red flag. There should be a system of controls in place that works to prevent this activity and protect the data.” Kadrich urges providers not to
look at mobility as an individual piece of technology but as part of an architecture or a “system of systems.” Moreover, he challenges hospital leaders to demand that their security leaders be able to demonstrate how their organization’s security architecture works. “Your security or IT staff shouldn’t
defer to vendors when describing your security architecture,” says Kadrich. “They need to be able to articulate or diagram how it works. How do you detect threats? How are those threats identified? How are they mitigated? What pieces of technology support these efforts? Security is not some mystic art. It is a very well-grounded engineering discipline that should elicit a factual answer in response to these questions. If your IT department can’t prove how your overall architecture is secure, use mobile technology at your own risk.”
ABOUT THE AUTHOR Ken Congdon is the Editor-in-Chief of Health IT Outcomes. For the full article visit:
www.pcconnection.com/HealthLibrary
Prepare for Today‘s Security Threats
Mount a Healthy Defense Unauthorized access to a hospital’s or clinic’s network could jeopardize day-to-
day operations, not to mention the health of a patient. A secure network is essential to achieve compliance with HIPAA, HITECH, and other security regulations and to avoid the risks and large fines associated with data breaches. A Security Assessment can be a valuable tool to help prepare your environment and IT staff for the issues associated with compliance requirements. An assessment will help you answer important questions about your security stance: • What threats are you trying to defend against? • How susceptible are you to external attacks? • How do you compensate for a user doing something inappropriate in your environment?
• What is your overall risk?
Call a Account Manager to learn more about our assessments and services today. 1.800.395.8685
IMAGE © SERGIO HAYASHI © WAVEBREAKMEDIAMICRO FOTOLIA CONNECTION/HEALTHCARE IT 2014.Q3 27
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36