Security Beyond Compliance in the Healthcare Industry

How healthcare organizations can go beyond just meeting compliance requirements for true security.

The rush toward cloud adoption and digital transformation in healthcare has elevated the importance of security, which goes beyond the basic need to maintain compliance with third-party standards.

Compliance requirements provide structure and a minimum level of security to protect organizations, but just meeting these standards is simply not enough.

As cybercriminals become more aggressive and cyberattacks become more frequent, healthcare organizations must seek security solutions that go beyond compliance requirements and baseline security standards to stay ahead of potential threats and decrease the likelihood of data breaches.

What does the data tell us?

Personally Identifiable Information (PII) and Protected Health Information (PHI) are valuable commodities for identity thieves, so cybercriminals are increasingly focused on illegally obtaining healthcare records. Over one million patient records were breached in the first quarter of 2018 alone, and more than 75 percent of respondents to the 2018 HIMSS Cybersecurity Survey have experienced what they consider to be a significant security incident within the last 12 months.

The majority of the reported security threats originated from threat actors that the breached organizations were able to identify as phishing attacks, or more strategic spear phishing attacks, with the main vector being unsecured or inadequately secured email systems.

The survey also revealed that most respondents felt compelled to make adjustments to their cybersecurity solutions following a security assessment, making it all the more surprising that security risk assessments are typically only conducted once a year. There is clearly a substantial value to these assessments, and limiting them to an annual exercise seems astoundingly inadequate.

Be proactive to stay ahead of the curve

No institution is too big or too small to fall victim to an attack, and it’s not enough to simply respond to threats as they arise. The rate and complexity of attacks on healthcare organizations has made proactive security more important than ever, and more frequent security assessments can help identify and address threats before someone exploits them — but that’s just one part of a proactive security program.

Smart healthcare organizations are also utilizing tools to actively test their networks and firewalls, hunting for threat actors and vulnerabilities. Routine threat testing, including penetration testing, also needs to occur more frequently that the obligatory annual security assessment.

All of this systems testing is crucial, but it’s also critical to account for one of the biggest threats to cybersecurity — the human element. Mistakes by insiders within an organization can pose a serious risk, and scammers are always developing new tactics to gain access to systems and data. The best defense for these kinds of attacks is to make sure your workforce is well and continuously trained when it comes to cybersecurity issues.

Security and compliance across platforms

The potential benefits of the cloud are undeniable, even in a highly regulated industry like healthcare. Yet transitioning to cloud presents its own set of unique challenges, and effective utilization requires a very specific expertise. The 2018 cloud security report from Crowd Research Partners found that, even though cloud usage continues to grow, 91 percent of participating organizations were still wary of cloud security, while 42 percent felt that they lacked the staff resources and expertise needed to adopt the cloud within their organizations. Despite these concerns, two-thirds of the participants deemed their cloud investments to meet or exceed their expectations.

Navigating the world of compliance

Effectively maintaining the security and integrity of your healthcare solution and Protected Health Information is no easy feat, and it certainly isn’t cheap, but both are considered table stakes in the healthcare industry. Most organizations are planning to increase the amount of resources used to deal with increasingly refined cyberattacks – more than half of organizations who participated in the HIMSS Survey already have budgets dedicated to the mitigation of cyberthreats and, according to the Crowd Research Partners report, nearly half of organizations plan to increase their cloud security budgets.

The importance of true compliance expertise and capabilities cannot be underestimated. Partnering with the right vendor to develop and host your compliance solution can help take the pain out of compliance and, more importantly, provide a significantly lower total cost of ownership.

Rackspace has extensive experience working within healthcare, building partnerships with healthcare customers to help them understand compliance requirements, while providing managed security services and solutions designed to meet regulatory needs.

Visit our site to learn more about Compliance Assistance, or read one of our healthcare customer case studies. You can also learn more about security in general with the Managed Security Service Providers for Dummies e-book and our recent Win the Cyberwar webinar series.

Chris Christy, FACHE, serves as Director of Healthcare Solutions at Rackspace. He has been professionally engaged in Healthcare for 35 years, working in both hospitals and healthcare technology companies. He brings 16 years of healthcare provider industry experience and previously held administrative spots with nonprofit and for-profit healthcare systems. Chris served five years as Associate Administrator and Chief Operating Officer at several hospitals that were part of American Medical International, which became Tenet Healthcare Corporation. He also served nine years as Vice President for Professional Services at St. Paul Medical Center, a 600-bed facility in Dallas operated by the Daughters of Charity National Health System, now Ascension Health. In addition, he served two years as Regional Vice President for Emcare, Inc, a publicly traded Emergency Room physician group practice. Over the last 19 years, Chris has worked in the enterprise healthcare technology industry. At SAP, he was appointed Healthcare Principal and in 2011 he was named Executive Director for Accountable Care Organizations as a duel role. Subsequently, he also has had healthcare positions at Qlik Technologies and Oracle Corporation. He joined Rackspace in 2018. He is a Fellow in the American College of Healthcare Executives and has served as an Adjunct Professor for Healthcare Strategic Planning at Texas Woman’s University in Dallas. He received his Master of Science in Public Health from the University of Missouri-Columbia in Columbia, Missouri.

LEAVE A REPLY

Please enter your comment!
Please enter your name here