With the arrival of 2019 rapidly approaching, now is a great time to take a close look at your data security efforts to ensure they are up-to-date and strong for the coming year. Whether its process, practice and/or technology, security is not something that should be ignored as the year comes to a close, particularly with so many data breaches lately.
Adding to that, with security compliance regulations like HIPAA and others, data breaches present much more than data loss to a healthcare institution. They bring significant financial and reputational implications as well.
So, what best practices can your organization implement to help secure your business’ data? Following is a recommended checklist:
1. Data Governance: Define, Implement, Enforce and Revisit as Part of Corporate Strategy
To protect the data your organization holds, it is essential to follow a data governance model. There are four pillars to this: define, implement, enforce and revisit.
When defining your model, it’s essential to make the strategy simple. It should clearly outline the rules and regulations within the business as well as the regulations and compliances that affect your organization. To help ensure the model is followed, it’s critical to secure board and c-suite buy-in at the outset, and establish internal committees to help with the process. Don’t forget to determine what granular control policies, persistent encryption, conversion needs, etc. are required to make this a success as well.
To implement this, you need to identify your encryption and key management solution and establish and apply identify and access control policies. When enforcing the data governance model, it’s key to track all of your data – live, cloned, replicated, deleted virtual machines, etc. – and know where it is at all times. Auditing and reporting procedures should be established, and all users should be trained on policies. Communication must be clear and regular.
With regards to revisiting the model, set a lifecycle for this and stick to it. There’s no better time than now to ensure your data governance model is relevant and aligned appropriately with your business and that it is agreed to and followed from the top down.
2. Security Compliance Regulations: Ensure Your Institution can Readily Address Them
With acts and statutes like HIPAA, PHIPA, ObamaCare, EU GDPR and others requiring protection, and health data breaches continue to happen on a regular basis, the need for healthcare information security and protection have never been greater.
However, it’s important to keep in mind that few organizations will be starting from scratch, considering that data protection laws have been in place for a while, and many organizations will be complying with existing standards, e.g., PCI DSS when it comes to patient payment information. So, assess what, where and how personal data is stored, processed and transferred within and outside your organization’s structure. Check every department from marketing to HR, legal and IT. Then, determine where any gaps are, fill them in with appropriate business practices and protective safeguards, and take a proactive and engaged approach with regular risk assessments and ongoing employee awareness.
3. Data Center: Protect it Whatever its Structure
Data centers are evolving. They are no longer simply server banks used for simple back-ups, disaster recovery, or server processing. Many enterprises are transitioning their infrastructure to become virtualized, and most have begun shifting workloads to the cloud. While simple in concept, and ultimately a cost-saving and agility-producing measure, there are significant complexities with changing out IT infrastructure. Migrating workloads from older systems to newer ones can also create a maelstrom of incompatibilities and security issues if done in patchwork fashion. Solutions such as hyper-convergence which combine compute, storage and networking into one solution are being quickly adopted as a means to efficiently consolidate data center infrastructure. But what about consolidating data security solutions?
The potential trouble with these newer “data center models” is that virtual machines and solutions are often much easier accessed than in the physical world. Easier access generally results in less control. And that’s particularly dangerous when it comes to controlling sprawl and migration of your critical data and workloads using a mix-match of data security solutions.
Given this, it’s critical to ensure you have one data security approach that provides persistent virtual machine-level encryption, so that no matter where workloads are located within the environment – active use, dormant, offline or in backup – the data remains protected. It’s also necessary to prevent unapproved copying and snapshots and relocation of virtual machines outside of your boundaries to protect your data.
4. Virtualization and Cloud: Ensure Proper Checkpoints
With the greater use of virtualization and cloud solutions comes the potentially greater risk of data loss as mentioned. To help protect data in virtualized environments and the cloud, it’s key to establish and enforce policies specific to where data can be accessed, used and stored. Also, revisit and, as necessary, refresh who has access to the virtual machines.
In addition, check that you have the necessary tools to audit, discover and manage virtual machine encryption to reduce the risk of unprotected workloads.
Finally, make sure you maintain a centralized repository of encryption keys, separated from the hypervisor, to provide your enterprise with exclusive control of your keys and eliminate the risk of exposure to unauthorized parties.
5. Endpoint Security: Unify for a Cohesive Approach to Security
Most hospitals and health systems have a myriad of operating systems and devices (e.g., Windows, Apple, Linux, USBs, Self-Encrypting Drives, etc.). These all come with separate management and reporting tools, with varying levels of data security protections. This disparate array of solutions becomes further problematic when it comes to managing things like software upgrades. Organizations need to look at ways to gain efficiencies in their endpoint environments, while improving data security.
By unifying endpoint data security solutions you can put yourself in a position to be agile enough to make decisions regarding investment in emerging technologies. You’ll also benefit from continuous protection of data and workloads wherever they travel within the approved environment and reduced cybersecurity protection premiums with unified controls and visibility.
In Closing
Data breaches will continue to be a significant threat for health institutions. By addressing the points in the aforementioned checklist, your organization will be best positioned to protect one of its most valuable assets in 2019 and the years to come.
Garry McCracken is vice president of technology at WinMagic. He has more than 30 years of experience in data communications and information security. Prior to working at WinMagic, Garry was vice president at Kasten Chase, where he played a key role in assuring the company’s compliance with strict security standards.
