Watch to learn an expert-level roadmap that any HIPAA compliance officer can take and use to frame their data security program.
Having issues accessing the video above? Watch the video here.
“Why are security and compliance gaps so prevalent in the healthcare industry?” The reasons are convoluted and complicated, but Jen Stone breaks them down for her attendees into three understandable concepts which she covered in depth: knowledge, tools, and alignment.
She explains, “you’ve got to know what you are protecting in order to protect it.” This is done by increasing knowledge compliance and privacy at your healthcare practice. Jen is not afraid to dive into the important parts of the HIPAA standard itself. As she said with a smile, “we can suffer through it together.”
HIPAA is not easy to understand. It’s even more difficult for the average person to understand its practical applications.
Misconceptions are many and common, but Jen manages to translate what HIPAA “wants” you to do, and provides an expert-level roadmap that any HIPAA compliance officer can take and use to frame their data security program.
This webinar was hosted on September 23rd, 2020, as part of SecurityMetrics Summit 2020.
Hello, and thank you for joining me for my portion of the SecurityMetrics Digital Summit. My name is Jen Stone, and my presentation is health care problems, security solutions. Just to give you a brief overview of my experience, I have been in IT for over twenty years, and I received a master's degree in computer information systems, over a decade ago. Probably should have looked that number up. When I joined SecurityMetrics just, just under five years ago, my career focus shifted from primarily IT to primarily cybersecurity. There's a lot of overlap between those two.
During my time at SecurityMetrics, I've completed over a hundred security assessments against various security and privacy standards and regulations, such as PCI, CIS CSC, which used to be called the, SANS top twenty, twenty three n y c r r five hundred. It's a New York privacy rule, and HIPAA, which is why I'm presenting on health care security today. So before we get to that, I'm also very fortunate to host the SecurityMetrics podcast. If you haven't listened yet, I encourage you to check it out.
We've had some great guests on who really know their stuff. You can find it anywhere. Just search SecurityMetrics podcast on YouTube, on any of the major platforms. You'll find us.
So diving into health care problems security solutions, our agenda today will cover three overarching topics. First, security and compliance gaps that I commonly see in my health care customers' environments.
Second, what you can do to close those gaps. And then third, how you can potentially reduce that burden that your organization might face when it comes to the people and tools that you'll need to close your security and compliance gaps.
A few acronyms are helpful to know, and brace yourselves. It's going to get a little alphabetty in here. First, HIPAA, which is the Health Insurance Portability and Accountability Act. HIPAA lays out privacy and security regulations for the, for protected health information or PHI.
HIPAA is enforced by the US Department of Health and Human Services, the Office for Civil Rights, which is HHS OCR. So HHS OCR enforces HIPAA to protect PHI.
With that language brief behind us, let's get to the quote. Health care cybersecurity is a key public health concern that needs immediate and aggressive attention. This quote comes from a report, by the health care industry cybersecurity task force. This task force was set up by HHS, back in two thousand fifteen, and the members of the task force came from a broad cross section of organizations. So we're talking about hospitals, insurers, security researchers, pharmaceutical.
A lot of voices were included, in this task force. They presented the report to congress in two thousand seventeen, as you can see from the quote, and they emphasized the concept that health care cybersecurity issues are patient safety issues. So this is pretty important. We all care about our safety.
We all care about our health, and privacy should be, of key importance to all of us. A year later in two thousand eighteen, the task force provided an update on the progress they made as a result of their, their efforts, and they pointed out a couple things. They've got increasing coordination, improving education. Those were wins.
But if you look at the numbers, there's not real demonstrable progress in preventing breaches and the lag in meaningful cybersecurity in health care continues today. I didn't include the numbers, that show that in this presentation or the reports, but you can find these reports. If you search cybersecurity breaches by industry, just that phrase, cybersecurity breaches by industry, a lot of reports will show up, that support what I'm saying that health care still has a problem with this, and it's going to for a while.
So why are security and compliance gaps so prevalent in the health care industry?
There's a lot of reasons. But for the purposes of this presentation, I'm going to focus on three reasons, knowledge, tools, and alignment.
Let's start with knowledge. If you wanna protect something, you have to know what it is you're protecting. And in in the health care industry, this means understanding the privacy rules. They're extensive, they're detailed, and they're written in lawyer speak.
This language isn't super helpful to normal humans, and it doesn't give a simple checkboxy type approach for compliance officers or for security personnel who are trying to know how to protect even if they understand what they're protecting.
And security isn't simple. I mean, we throw around terms like defense in-depth, which seems like a simple concept until you start looking at all the pieces of security involved in that concept. This graph, known as the fan, it was put out by Northrop Grumman. And I love it, and I hate it.
I hate it because it has so much going on that my brain just recoils. I mean, there's so much there. I wanna walk away and just, go get ice cream or something. I don't know.
But I love it because when you're trying to explain that security has a lot of pieces to it and that the many pieces are necessary because you're protecting a lot of different things in a lot of different ways, because the threats to what you're protecting can come from a lot of different vectors, this fan is it. Defense in-depth is important because you don't ever want to have a single point of failure. Right? So this makes things difficult for the health care industry, particularly at smaller practices and other small to medium organizations that don't have a a full team of people who can understand and maintain everything involved here.
Let's get into that a little bit more. So no single person in IT or cybersecurity should be expected to be proficient at all the topics and tools involved in data protection. I've listed just a few of the tools used for defense in-depth here.
There's many more. And then in a lot of organizations, not only do you have to understand the topic of the firewall rules, for example, you might have several different types of firewalls so that you need to understand how the rules work in those specific types. Like Juniper firewalls and Cisco firewalls are both firewalls, and they both have rules that need to be implied, but but they don't get set up the same way as each other. And they can be very confusing to read.
If you're not familiar with Juniper, it's there is, time that takes to understand it. Same with Cisco. It takes time and experience to correctly implement either. And then that applies to all of the the defense in-depth tools or or categories.
You might have several different types of antivirus. You might have several different types of anything that you're using for protection. So then you add on top of that, a lot of organizations have what we call a hybrid environment. So where some of their information is on a server at their main offices, and that server might have a completely different operating system from this server in a data center that they're using for some other of their information.
And then some of their information is in the cloud, which is set up similarly, but not exactly the same. You've got to know specific things in specific places. So it just gets more and more difficult to have all the knowledge you need to manage the tools protecting your systems that house your information.
Here's another key gap that I see, and it's not on the technical side so much. It's alignment between the security teams and the business. So Forrester put out a report for, Tenable this year. And so, of course, it has potential biases, but what they say aligns with what I see when working with my customers. They said this, business leaders want a clear picture of their organization's cybersecurity posture, but their security counter but their security counterparts struggle to provide one.
Just four out of ten security leaders say they can answer the question how secure or at risk are we with a high level of confidence.
I've thought a lot about why this might be, and it comes down to a couple of things. First, security teams might struggle to put security concepts into terms their business leaders can understand. There's a lot of jargon, and there's reasons for that. Security needs terms to describe things specifically.
So if security people can't figure out how to translate into ways that let the business leaders weigh what they're hearing against other business risks, there's going to be a gap there. More importantly, though, and I see this more often, I think business leaders are failing to see the potential impact cybersecurity issues can have on their business. So they don't provide a way for cybersecurity to be included in their business risk assessments. And I could do an entire presentation on that topic alone, but I just wanna leave that concept here as a potential place where you might be experiencing gaps.
So let's wrap up this section, with another quote from the health care cybersecurity task force report. Now more than ever, all health care delivery organizations have a greater responsibility to secure their systems, medical devices, and patient data. And that's because we're putting more patient data out there. There are more systems, more complex systems, more vulnerabilities, and the health care industry, more and more is becoming a target of people who want to maliciously use or tie up that that data.
So now that we've set the stage for what the gaps are, why it's important to address them, let's talk about closing those gaps. There's a lot of them. So, I'm gonna take this approach. We're gonna read a few of the HIPAA regulations themselves. Sorry.
We can struggle through it together. And then talk about what they might mean in terms of security and then talk about related gaps and potential fixes. For each fix, I'm gonna talk about what you can do internally or how you can reduce your burden by getting third party help. We'll talk a little bit more about that at the end of the presentation.
So at the beginning of the HIPAA security standards, we find this phrase, ensure the confidentiality, integrity, and availability of all electronic protected health information and the covered entity or business associate creates, receives, maintains, or transmits.
Alright.
In terms of security, the law could have stopped there. And, frankly, it might have reduced a lot of confusion, or it might have reduced a lot of feigned confusion over what am I supposed to do exactly for security. And I hear that a lot from people. Well, you need to give me an exact checklist. I need to know exactly what I'm supposed to do.
Seriously? You're supposed to ensure the confidentiality, integrity, and availability of PHI, and that's otherwise known as the CIA triad. This is so confidentiality, c, integrity, I, availability, a. CIA triad is something that is well known in security industry. We talk about it all the time. So if you have a team that you're working with that says, what what am I supposed to do exactly or HIPAA doesn't spell it out for me, I would question that statement. This is a common concept in data protection, and that phrase in first having a solid cybersecurity program.
So the gap that I see, a lot of organizations don't understand the depth and breadth of a solid cybersecurity program. In general, I find this is because they might know about antivirus. They might know about patching. They might know about good passwords.
But they will take a kind of a buffet approach to cybersecurity and say, I'm gonna put this in. I'm gonna put this in. I'm gonna put this in because they know those things. Picking and choosing what they know, which means there are gaps around what they don't know. So the fix for that is to adhere to a security standard or framework. Some of the solid ones out there, the NIST cybersecurity framework, say, CIS critical security controls, ISO twenty seven zero one.
These are all, standards or frameworks that spell out very quickly or very clearly in a checkboxy fashion, not quickly. Sorry.
But very clearly exactly where all the details are in a solid cybersecurity program.
Alternatively, you can have your existing security program assessed by a third party.
They will probably take your program and compare it to a framework that they have experience in. So that way, they can help you understand your gaps so that you can put the missing pieces in place.
Another key foundational piece to a HIPAA security program is a risk analysis. Honestly, it all starts there. You have to do a conduct a thorough accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, electronic protected health information. So, if you haven't conducted this, this is one of the places where when there is a breach or when there is some sort of a complaint against an organization and OCR has to come in and take a look at your systems, if you don't have a risk assessment done, your settlement prices are going to go up. The the impact to your business is going to be much heavier than if you had done a risk assessment and tried to make some progress against the risks surfaced by that risk assessment. This is critical. If you haven't done one, do one this month.
So the gap here is knowing how to conduct an remember back in the day when I started off on the help desk being told, hey. I need you to do this risk assessment for organization. I had no clue. I I didn't know what I was doing. The learning curve on doing a really good risk assessment is steep.
Most IT people don't have risk assessment as a core competency, and I find that this is a common misconception among the business side of things. They shouldn't be expected to have this knowledge. Risk assessment is an entire industry all on its own. Even if you have IT or security people who are skilled in risk assessment, you're gonna miss a lot if the business isn't part of the process. So what's the fix?
Again, adhere to a framework. There's some really good risk assessment frameworks out there. They might be NIST RMF, Octave, ISO twenty seven zero zero one, twenty seven zero zero five. These risk assessment frameworks spell out the elements and procedures required to do a thorough and accurate assessment of risk. Or, again, have a third party help you. This doesn't mean you're gonna be completely off the hook for an assessment because a third party, a good third party, is going to have you fully involved in the risk assessment or it won't be meaningful because they're not gonna know any more than your IT folk will know all of the moving pieces behind your business processes in order to do this risk assessment.
In the same section that talks about risk analysis, there sorry. There's a lot of words here, but kind of scroll your eyes down to number d. There's a requirement for an information system activity review.
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
These are the kinds of things security personnel need to review in order to understand what's going on in your systems.
Because if they know what's going on in your systems, if they know what regular activity looks like, they can detect potential indicators of compromise. Those are the things that let them know, hey. A breach might be happening.
So what's the gap here?
Many, many health care organizations that I work either don't do these types of review or they don't do them in-depth to the point that you would have to assume that these organizations are being breached because they have no way of knowing or demonstrating that they're not being breached. This is this is one of the key reasons that you have this to demonstrate that you know your systems are solid and to take action when you feel like they're not. So done correctly, this takes time. It takes extensive tooling, and it takes personnel.
The fix for this, internally, get a SIEM. A SIEM is a security information and event management tool, or it's a set of tools that you use to do what a what a SIEM might be doing. It takes people dedicated to tuning and reviewing these reports that come from the SIEM or or from related tools. It takes people who know how to address what they're seeing and fix things when they when they find problems. So, again, the alternative is to engage a third party that offers a managed SOC. A SOC is a a secure operation center. A managed SOC might also be called, an MSSP, which is a managed security service provider.
So to wrap up, let's get a final word from the task force.
No organization has all the financial resources it needs to employ enough personnel necessary to consistently and confidently protect its networks and data.
No organization.
So I want you to think about some of the things that we've talked about, and this is just a brief overview of them. Are you doing these things? Do you have these things in place? Do they feel solid? If not, do the personnel internally have the ability and time and resources to do these things? And if not, are you interested in hiring more people?
Full disclosure, SecurityMetrics offers services that fall under the reduce your burden concept, which is something that I recommend. I think that, you should leave the security tools and the security solutions to the people who specialize in them so that you can focus on what you specialize in. I think it's a great way to become more secure, and I see it work time and time again for my customers. However, as a security professional, I was very hesitant to give this presentation, because I didn't want it to feel like a sales pitch. And I would never want it to feel like a sales pitch because that might get in the way of what I think is important information for strengthening your security stance.
It's my primary goal here. So let me tell you that there are a lot of good companies out there that offer third party security services similar to what Securitymetrics does. I encourage you to seek them out so that you can do a comparison so that if you do decide to do a third party, help for your cybersecurity needs, you have done extensive due diligence before deciding on any of them.
If you have any questions, if you have any, follow ups that you'd like to do, I am on LinkedIn. That's probably the best way to get hold of me. Send me a a message through LinkedIn.
Otherwise, you can send me an email.
If there's anything that I can do to point you in the right direction for your security needs, happy to do it. Thank you for joining me.
.svg)
