Healthcare IT is moving away from the top down, “command and control” model of 10 years ago. Back then, IT provisioned all devices and the mobile device environment was more homogeneous, strongly managed and secured, to a much more diverse heterogeneous environment including BYOD, often with less manageability and security. In this new diverse and rapidly changing environment, a strong and effective detection and response capability becomes much more important. We can compare the new environment and this security model to an immune system where when a pathogen appears it is detected by the body and an immune response starts to eliminate the pathogen and put out antibodies to prevent a future recurrence.
In this analogy a pathogen in healthcare IT security could be a new type of malware or phishing attack, or some risky healthcare worker action such as attempting to copy unencrypted patient records onto a USB key, or attempting on impulse a post of sensitive healthcare data to social media. SIEM, DLP and global threat intelligence capabilities are just a few great examples of security detection controls. An effective immune response in healthcare IT security needs to be holistic and multi-layered in the sense of incorporating several administrative, physical and technical controls complementing each other for effective risk mitigation. Administrative controls may include updates to policy, risk assessments, effective training, audit and compliance, and security incident management controls. Physical controls may include locks and other physical access and tamper proofing controls for data, assets and facilities. Technical controls may include anti-malware, IPS, whitelisting, encryption, anti-theft and many others.
Of this mix of safeguards, and with key healthcare trends such as BYOD, social media, mobile healthcare and others increasingly empowering healthcare workers with more tools and options to get their work done, the human factor and effective training is becoming incredibly important. Recent HIMSS research shows if solutions or security are lacking usability, healthcare workers use these tools and options to get their job done in workarounds that add non-compliance issues and additional risk.
Compounding this challenge, recent HHS OCR audit findings shows that many healthcare organizations lack effective training. To be effective training must move beyond the “once a year scroll to the bottom and click accept model” to a much more continuous, bite-sized, gamified, engaging form, and enable the healthcare worker to apply and solidify their knowledge as a part of their daily job. Penetration testing needs to include the human factor to help detect vulnerabilities in end user behavior that can then be remedied. Some innovators such as Wombat Security Technologies have emerged with capabilities in this area. Security safeguards such as DLP also offer special value in helping educate healthcare workers on the job in “teachable moments” where at the point where they attempt an action that is out of compliance with policy the DLP control can inform them and educate them on safer alternatives.
What kinds of trends and risks, and detection and response safeguards, are you seeing in your healthcare organization?