Is your IT department keeping your data safe? Here’s how you know.

The old hands, however, sleep well. They trust Columbus because he is telling his captains to be aware, be careful and be alert.

I give you this scenario to illustrate the difference between Beware!!!! And Be Aware. Beware means to be afraid in a way that is unproductive, reacting to what happens rather than anticipating and preparing for likely events. Be aware means knowing there are dangers and looking ahead to do whatever you can to keep your ship safe.

Unfortunately, many executives and board members at health systems and hospitals who don’t have specific IT security expertise are like the novice crew on the ocean-bound ship. They know data security is under constant threat, but they don’t know if the IT department is doing all that it should to keep data safe. And so they feel a sense of unease about security, hoping, without knowing, that it is all under control.

If you are one of these executives or board members, how do you know that those in charge of your security function are really on top of security? What questions should you be asking?

Data security may seem like a complex technical issue, but a basic security program can be framed in terms of these four components:

• Understanding your risks
• Undertaking basic protections
• Basing your program on industry standards
• Keeping your program current

Let’s walk through each of these principles, and at the end review some questions you may want to ask. Having answers will either help you sleep better at night, knowing that your security team is, indeed on top of things, or will alert you to areas that could use more attention.

Understand your risks

To understand and address your risks, you have to assess your systems and threats and categorize and prioritize what needs to be done.

Step 1: Complete an inventory of your information processing environment. Your IT department should maintain a formal inventory of all technologies you have. This inventory should include hardware, software, end-user devices and other technologies. The IT department should understand who your users are, including regular, casual and intermittent users, both remote and local. It should also maintain an inventory of information stored within your IT environment and an analysis of what sensitive data you need to protect. This should include special classes of data like protected health information (PHI), personally identifiable information (PII), business confidential information and other sensitive data. The department should know where that data is stored, the means by which it moves through the system and how it is protected at every point.

Step 2: Understand your threats — external, internal and environmental. External threats are attempts from the outside to steal or damage data, including malware, phishing and hacking. Internal threats could include disgruntled employees, accidental disclosures, device loss or careless use of passwords and data. Environmental threats could include security holes in systems, device lifecycle issues or support lifecycle concerns. A device’s end-of-life is the point at which a device is no longer fit for use, and proper replacement is key to ensuring that it can’t be used to breach your system. Support end-of-life is when the manufacturer no longer supports a device or a piece of software, ceasing to provide security patches and updates, leaving your system vulnerable to any new external threats that arise. 

Ideally, you would also look at the security of business partners and vendors who have access to your information, because poor practices on their part could expose your data to these threats.

Step 3: Categorize and prioritize threats. To do this, the security team needs to look at each weakness they find and assess it using these three dimensions:

• Time: Do we need to do this now, or can we wait until later?
• Urgency: Is this fix critical, important or not as important?
• Resource requirements: How many people and how much money are required to fix the problem? Rate the projects high, medium or low on resources required.

Step 4: Get an objective opinion. It’s never easy to do an objective assessment of your own organization, because it is often difficult for people to see — or admit — weaknesses in their own area of responsibility. An unbiased third-party review can be a good investment. Because they aren’t personally involved in the organization, an independent advisor is best suited to perform an objective analysis.Furthermore, due to their experience in the industry, they are familiar with common weaknesses and threats that might be overlooked by internal staff.

Undertake basic protections

Most breaches aren’t the result of sophisticated attacks from the outside. Instead, most are the result of a lack of attention to basic protections. This isn’t rocket science, but it is necessary and a bit tedious at times, similar to washing your hands between patients. The following basic steps provide frontline protection against a breach and should be a non-negotiable part of your security program. Your protections should fall into three categories: People, processes and technologies.

People

Security is part of everyone’s job, and not just the security group or the IT department. For that to be true, you need to train people to be security conscious. Everyone in the organization should know what phishing is, should understand how to create a strong password and how to keep that password secure. You should provide constant reminders about how to keep data secure, and you should require periodic refresher training to keep it top of mind.

Processes

Equally important is ensuring physical security for all data centers and devices that contain sensitive data. Employees’ access to data should be tailored to their role in the organization, and their access should be updated if their role changes. You need to have processes in place to ensure the strength of passwords and to avoid the need for sharing passwords or writing them down on a sticky note left on a computer. You also need a written policy for dealing with security violations and a process for re-education of anyone who doesn’t follow security rules.

Technologies

There are lots of technological aids for improving security, and they don’t have to be expensive. Encryption of end-user devices is easy to do, and you should have security requirements for all devices used on your network (whether owned by the institution or the employee). Your organization should also actively manage all assets (like desktops, laptops and mobile phones) that you own, tracking their location and use. Perimeter defenses, network monitoring and protection and keeping software patches up to date are other basic technologies that can go a long way to keeping your data safe.

Base your security program on industry standards

The healthcare industry has good guidelines and national (HIPAA, PCI, HITECH), state and local standards that, if followed, will make your organization much less vulnerable. The security industry also has standards (NIST, ISO, HITRUST) that can be used as a framework for a security program, if you overlay the additional healthcare needs and impacts. These standards are based on years of cross-industry experience and provide an excellent framework for data security.

Regardless of the framework you choose, you must be sure to implement it in a way that addresses your individual assessment of risks and threats.  It’s important to note compliance with regulations is NOT security. If you are merely checking off the boxes instead of looking at your individual environment, your data will be vulnerable.

Keep your program current

Security is never an endpoint, it is a continuous process of improvement. New threats are constantly occurring. Your organization should have a process in place to ensure that your security arrangements stay in step with current conditions. It should be standard to re-evaluate security with every change in your information processing environment.  One way to keep the organization on its toes is periodic third-party reviews.

Questions to ask the CIO

So now that you have a better idea of what a good security program should look like, you should be able to ask the security team to give you more specifics about security. Here are five important questions they should be able to readily answer.

• Do we have a comprehensive inventory of every piece of hardware, software and technology connected to our systems? Do you have a comprehensive inventory of all users, local and remote, and how often they interact with our systems? How about our partners and vendors?
• How are we addressing external threats like phishing and malware? How do you prioritize protections from these and other threats?
• What processes do we have in place to ensure that employees understand and take security seriously? How do we handle security violations?
• When was the last time we had a thorough security assessment by an objective third party?
• What industry standards have you used in designing our security program?

If the security team can’t readily answer these questions, that’s a red flag and you need to dig deeper. It may be time to get a security expert to do a review and tell you what is really going on. Your data will be safer and you’ll sleep better at night. 

More articles on health IT: 

30% of CEOs had their email address associated with a breach
DHS to require federal agencies to use ‘HTTPS’ security protocol for web traffic
820 individuals compromised after phishing attack at Iowa Department of Human Services