A recent whitepaper from SANS, an information security training and security certification company, assesses healthcare organizations' awareness of data security issues and provides steps to reduce security risks and stay HIPAA compliant.
The report revealed the following findings:
- Almost 50,000 unique events of a malicious nature took place within the health IT environment during a 13-month period when intelligence was gathered.
- Networks and devices at 375 U.S-based healthcare-related organizations were compromised during the data gathering period.
- Compromised devices included everything from radiology imaging software, to firewalls to email servers.
- A significant number of compromises came about due to very basic issues such as not changing default credentials on firewalls.
The report offers a four-step process to mitigate security risks and maintain HIPAA compliance.
1. Know what's on your network. Healthcare organizations should inventory everything including devices such as printers, personal medical devices and institutional medical instruments. Healthcare organizations need to secure and protect all devices and instruments with strong passwords and two-factor authentication.
2. Think like the attacker. Default passwords and insecure points are just a few of the vulnerabilities an attacker will attempt to exploit. It is necessary to think outside of the box because attackers have done everything from use a network fax machine to access prescriptions to manipulate surveillance cameras to capture the passcode to the server room.
3. Consider your network pathways. In addition to protecting entry into devices and systems, organizations need to protect outgoing information. Egress filtering, which is monitoring, controlling and potentially restricting the flow of outbound information, will ensure unauthorized or malicious traffic never makes it to the Internet.
4. Assess and attest. Healthcare organizations should continually assess their systems for potential vulnerabilities then make repairs and improvements based on the findings and attest to the actions taken. It is critical not to get bogged down in the many rules and regulations for attestation and overlook the overall needs of the system.
More Articles on Data Security:
Physicians Using Android Smartphones Are Vulnerable to Heartbleed Security Breach, Warn Experts
10 Necessary Components of a HIPAA Business Associate Agreement
5 Tips For Protecting Patient Information & Responding to Healthcare Data Breaches