2014 Healthcare IT Security

2014 Healthcare IT Security Checklist & Recommendations www.nuvodia.com

2014 HEALTHCARE IT SECURITY CHECKLIST & RECOMMENDATIONS WHILE IT SERVICES ARE AN INTEGRAL PART OF DAILY OPERATIONS FOR EVERY INDUSTRY, THE HEALTHCARE SECTOR FACES SOME PARTICULAR CHALLENGES THAT AREN T RELEVANT TO OTHER BUSINESSES. FOR EXAMPLE, NON-HEALTHCARE BUSINESSES CAN EXPECT SOME STICKING POINTS FROM ONE OR ANY OF THE FOLLOWING: Frequent updates. Keeping up with the latest technological developments is a must for any IT department, including scheduling regular updates to both software and hardware. Unfortunately, technology changes more quickly than any organization can reasonably expect to keep up with, and many struggle to find the necessary capital expenditure required to stay current with the latest trends. The paperless transition. A number of companies are making the transition to conducting business 2 2014 Healthcare IT Security Checklist & Recommendations

transactions digitally, or even going entirely paperless within the office. This is done not just out of environmental concerns, but also because dealing with hardcopies is becoming more tiresome in terms of physical maintenance, storage and protection. The cloud. More organizations are streamlining their daily operations to the cloud in order to save on IT expenditures (often specifically due to the two points listed above). This transition requires revisions in infrastructure as well as policy, both of which mean more capital expenditure initially even though those updates will generate significant savings down the road. Staff training. Keeping staff appropriately trained and updated is just about a full-time job in and of itself, especially taking into consideration all of the changes 3 2014 Healthcare IT Security Checklist & Recommendations

associated with IT these days. It s essential to maintain consistent tech policies among all departments, and even more essential to ensure that those policies are followed and enforced. This list is not complete by any stretch, but does give at least a glimpse into some of the common challenges the typical SMB might face when reviewing tech requirements and capabilities. Not only do healthcare organizations face all of these same questions and obstacles, but in many cases these issues are compounded exponentially: Already complex and costly software and hardware updates need to be made in line with ever-changing regulatory guidelines. Going paperless in healthcare means ramping up security standards for transmission and storage of EHRs/ EMRs. Hopping over to the cloud may look great on paper, but can healthcare organizations afford to open themselves up to the untested risks and vulnerabilities that are likely to arise in the event of an improperly executed transition? 4 2014 Healthcare IT Security Checklist & Recommendations

This ebook takes a closer look at the top 12 challenges and risks facing healthcare organizations today, along with recommendations for how to better avoid those risks in the first place and control them if they do occur. 5 2014 Healthcare IT Security Checklist & Recommendations

THE TOP 12 CHALLENGES AND RISKS FACING HEALTHCARE IT TODAY Challenge #1: Meeting Regulatory Guidelines Industry regulations such as HIPAA/HITECH are not optional; healthcare organizations are required to practice compliance or risk hefty fines, sanctions or even the threat of getting shut down. There are several steps that healthcare executives can take in order to help ensure HIPAA/HITECH compliance: Develop and implement comprehensive security policies and procedures, including extensive training of all employees and staff that interact with sensitive data. Document all policies and procedures, including what steps would be taken in the event of a security breach. Conduct regular risk assessments to identify existing 6 2014 Healthcare IT Security Checklist & Recommendations

vulnerabilities and adjust as needed to mitigate those risks. Ensure that business associates are also HIPAA compliant HIPAA/HITECH compliance requires a definitive commitment to greater security in terms of both procedure and physical hardware, which means many of those in the healthcare industry need to adopt a new perspective when it comes to protecting patient data: technology investments and upgrades are no longer an elective part of the budget if indeed they ever really should have been considered as such. Solution: Healthcare organizations need to prioritize their tech needs. Failure to do so is one of the major contributing factors to the incredible level of catch-up that so many practices and facilities are struggling with today. Challenge #2: Assuming Compliance Counts as Mitigating Security Risks At the same time, just jumping through HIPAA hoops alone isn t always enough to address all potential security risks within an organization... nor will being 7 2014 Healthcare IT Security Checklist & Recommendations

proactive about such security risks always be sufficient to ensure HIPAA compliance. Some practices may attempt to meet some requirements inadequately. For example, HIPAA requires the appointment of a designated security officer, and it s not uncommon for healthcare executives to make the assumption than an existing CIO fills that role by default. In reality, a security officer needs to be an extremely knowledgeable individual with regards to HIPAA requirements, so an outside specialist may better meet this mandate. Solution: Don t make assumptions. When auditing for security risks and threats, avoid shortsightedness and err on the side of exhaustive rather than meeting the bare minimum. This means looking at the obvious weak spots as well as the not-so-obvious. Cutting corners is not acceptable, and does more harm than good. 8 2014 Healthcare IT Security Checklist & Recommendations

Challenge #3: Industry Changes While it s easy to toss around advice on HIPAA, the truth is that HIPAA represents only the latest of regulatory changes and certainly won t be the final word. New laws and requirements are enacted with almost frightening regularity; any healthcare organization that wants to stay current needs to also stay adaptable and flexible in order to change with the times. As an example, the massive policy updates that have recently occurred due to the Affordable Care Act affect every single healthcare-related practice in the country in one way or another. Yet, the ACA isn t likely to be the only new legislation on healthcare to be enacted in this decade. Predicting what s next is impossible, so healthcare executives need to focus on being responsive instead. Solution: Again, healthcare organizations must make meeting tech needs a top priority so that organizations are better positioned to adapt to possible industry changes. This means upgrading existing infrastructure to current industry standards while leaving plenty of leeway for future requirements that as-yet-unforeseen laws and legislature may require. 9 2014 Healthcare IT Security Checklist & Recommendations

Challenge #4: How to Ensure Compatibility with Other Entities In order to create the most effective security environment, it s essential for healthcare organizations to ensure their compatibility with similar and related entities. This has to occur not just locally, but on a global scale. Perhaps the most immediate example is the ICD- 10 transition. While organizations that are still using ICD- 9 have been granted a stay of execution until 2015 to make the conversion, even that extensive upgrade keeps the United States behind the rest of the world... which is currently already using ICD-11. The ICD-10 conversion isn t just for the convenience of domestic insurance companies, physicians and coders; after changing over, the United States will be more in line with essential communications and data collection efforts with the rest of the world. Solution: As overwhelming (either from a practical or financial standpoint) as compatibility with such wideranging changes as ICD-10 conversion may feel, they can be made more manageable with the right attitude and proper planning. Making small changes as they become financially and/or technologically possible can ensure organizations are still moving forward while keeping costs from spiraling out of control too quickly. 10 2014 Healthcare IT Security Checklist & Recommendations

Challenge #5: Embedded Devices Networked medical devices like patient monitoring systems and imaging devices are becoming more and more prevalent throughout the healthcare system. Although these innovations introduce a wide range of benefits to healthcare provider, support staff and patient alike, they also present the possibility of new risks. Embedded connectivity makes monitoring and tracking overall productivity much easier, while at the same time helping to reduce human error. Yet, this type of networked medical solution also means a greater strain on bandwidth along with opening up the entire network to the potential for virus exposure from a much different source than the traditional PC. Solution: Ensure that any security risk audit is holistic, addressing not only the obvious sources of vulnerability (actual computers or patient information databanks) but also the less obvious. It s vital for 12 2014 Healthcare IT Security Checklist & Recommendations

healthcare executives to closely examine a multitude of elements in order to develop a true assessment of current security hazards. Challenge #6: How to Maintain Consistent Data Security Standards It s human nature to look at one system and then try to figure out how to best adapt that system for your own needs. This doesn t quite work in the healthcare sector though. When it comes to security, what s sufficient for one organization may not be nearly enough for another; this leads to inconsistency and serious gaps in the specific problems that need to be addressed. It s just common sense to recognize that what s perfectly acceptable for a small private practice isn t going to directly translate to the needs of a much larger facility or even another small facility that covers a different specialty. Keep this in mind when developing security policies and standards. Solution: It s important for healthcare executives to understand that a customized security solution is the only correct answer when it comes to mitigating risks. Organizations have to do what s right for them while still meeting regulatory guidelines. Although the word customization may sound like it s going 12 2014 Healthcare IT Security Checklist & Recommendations

to be expensive, that s not always the case. A tailormade security solution isn t necessarily a bad thing for organizations; however, regulation can become more challenging. Challenge #7: Cloud-Based Services and Virtualization From a pure convenience standpoint, there s no contest when it comes to deciding whether making the transition to cloud-based services is a good idea. Once you add financial considerations to the equation, moving IT operations to the cloud becomes a virtual no-brainer. Yet, all the same security standards still need to apply in the cloud as in traditional managed IT. This is not to imply that cloud-based services are less secure, but only that healthcare organizations can t 13 2014 Healthcare IT Security Checklist & Recommendations

make the assumptions that similar safeguards will be in place in a new hosting environment as they were previously. All of this ties into knowing exactly where the unique vulnerabilities lie within your own system; for some practices, this is the cloud. Solution: Treat hosted virtualized desktops and other cloud-based services with the same security considerations as a device that s physically connected to your network. Be aware of any cloud-specific security risks and limitations as well. For example, the rapid technological advancements in recent years have for the most part outpaced regulatory oversights and consistent standards; this gap has created a wide variance among the services healthcare organizations can expect to receive from cloud computing providers. Any potential service providers should be thoroughly vetted beforehand. Challenge #8: How to Address Internal Vulnerabilities While many healthcare organizations assume that threats only ever come from the outside world of nefarious cybercriminals, the exact opposite is actually true far more often: most data breaches occur due to 14 2014 Healthcare IT Security Checklist & Recommendations

internal security violations. These may be intentional, but also frequently occur out of ignorance, negligence or deliberate refusal to comply with existing company policies. On a related note, healthcare executives should also recognize that human error remains the biggest commonality among data breaches, as well as the largest concern cited by organizations with regards to data security. Solution: Always examine both internal and external risks, and don t overlook the human element. While any organization can craft clearly stated security and privacy policies that employees agree to follow, actually enforcing those policies needs to be a part of that. Be sure to take corrective steps if faced with negligent staff, whether their actions were definitively malicious or merely accidental. Challenge #9: Improve Breach Detection Capability Until this point, the listed challenges have dealt only with preventative measures, but what if those aren t enough? What if a breach does occur... and then goes unnoticed for weeks or even months? The longer a breach remains undetected, the greater the risks faced by the 15 2014 Healthcare IT Security Checklist & Recommendations

healthcare organization itself as well as any patients whose data is compromised. In addition to knowing how to prevent a breach from happening at all, improving your organization s ability to detect such an incident is at least equally essential. Quickly locating and containing a breach helps mitigate the extent of the damages; the longer such a containment takes, the more expensive correcting the problem becomes. How can such an event go unnoticed? Easy: because no one s looking for a breach. Solution: Start looking. Use network monitoring methods that are more strategic and comprehensive, and use them often. Check and double-check from different angles and perspectives to eliminate cyber security blind spots and create 360-degree protection. 16 2014 Healthcare IT Security Checklist & Recommendations

Challenge #10: Taking Action after a Breach What s the first thing you do after you ve identified a breach? If you re not sure, you re not the only one; the primary emphasis among most healthcare organizations is on breach prevention rather than damage control. Inadequate planning leaves healthcare executives without effective guidance on the practical steps that their organizations should take in the wake of a breach. Solution: Include a what-if scenario along with other security policies that clearly outlines the appropriate course of action to take if a breach occurs. Ensure that each staff member clearly understands his or her role (if any) in such an event, and knows the requirements that need to be followed. Employee training needs 17 2014 Healthcare IT Security Checklist & Recommendations

to cover all aspects of security protocol, not just preventative measures. Challenge #11: Understand How Risks Vary Although there aren t many healthcare executives that remain unaware of the fact that their organization represents an enticing target to cybercriminals, they may not be quite sure why that is, exactly. Stealing health-related data serves as a double target to hackers: Financial information, like credit card or bank account information, can be gleaned from records in accounts receivable. Patient information such as data contained in EHRs 18 2014 Healthcare IT Security Checklist & Recommendations

and EMRs can be used for a number of secondary purposes. While financial information is obviously useful to a hacker, specific account numbers can actually be far less valuable than the medical data itself. From detailed information on insurance numbers (which can be used to file numerous fraudulent claims for reimbursement) to descriptions of a patient s physical characteristics (which can be leveraged into creating fake IDs or further identity theft), medical identity theft is a huge and growing problem. Solution: Implement a robust security plan and detailed employee policies that apply to all departments of the organization, not just those you personally think would be a probable target to cybercriminals. Challenge #12: Check Your Network Healthcare organizations don t exist in a vacuum; most are connected with any number of vendors and partners from suppliers to billing to insurance providers... which brings up yet another aspect of medical data security: how are these outside parties protected? Who s conducting their employee training sessions on safety and security, and have they taken half the precautions 19 2014 Healthcare IT Security Checklist & Recommendations

that you have? The Omnibus Rule holds primary organizations liable if their business partners are noncompliant, removing the blame game from HIPAA at last. This does not in any way lessen the responsibility of healthcare executives to ensure that their practices are working only with compliant partners and vendors; if anything, the pressure to protect patient data is only increased. Solution: Insist upon certain security standards and policies from anyone connected with your organization; expect the same level of protection from outside your ranks as you would from within. Locking the front door doesn t do much good if all the windows are wide open. 22 2014 Healthcare IT Security Checklist & Recommendations

YOUR NEXT MOVE Every business in every industry faces some degree of risk when it comes to IT security, but the potential for data breach carries a far more ominous weight for those in the healthcare sector. This stress can end up creating a suffocating and fear-based atmosphere for healthcare executives trying to make the best decisions for their practice, but these concerns don t necessarily have to be overwhelming. By working with a managed service provider (MSP) that offers extensive healthcare industry knowledge, organizations can breathe more easily knowing that all of these issues and more are being met in the ways that are right for them. MSPs represent more specific expertise with regards to the healthcare industry than an in-house IT department. MSPs can look at the big picture and offer comprehensive solutions that cover all the unique bases that are particular to those in healthcare. IT costs become more predictable and controlled, eliminating surprises without sacrificing functionality or diligence. Working with a managed service provider also means 21 2014 Healthcare IT Security Checklist & Recommendations

enjoying a higher degree of scalability and flexibility, as tech support no longer has to be the deciding factor that determines whether or not your organization can move forward. Nuvodia has roots in healthcare, and fully understands the issues listed above as well as a number of other concerns facing IT that aren t covered in this ebook. Coming from a large radiology group based in Washington State as our parent company, Nuvodia serves hundreds of healthcare clients, including hospitals, clinics and laboratories. With our guidance, healthcare organizations can better face the current challenges facing healthcare IT today. 22 2014 Healthcare IT Security Checklist & Recommendations

Formed in 2012 by Inland Imaging, one of the nation s leading providers of professional radiology and medical technology services, Nuvodia is a technology services organization. By combining the capabilities, resources and personnel from Inland Imaging Business Associates technology division Nuvodia brings with it a decades long legacy of providing information technology services to the health care, utility and professional services industries. Nuvodia s mission is to provide its clients with IT solutions that propel their businesses forward. It looks to enable customers organizational excellence through innovative, results-oriented technology solutions. To learn more about Nuvodia, call Andrew Spottswood, Sr. Technology Consultant P: 206.326.6589 C: 425.516.5641 aspottswood@nuvodia.com You can also visit Nuvodia.com or connect with us via Facebook and Twitter. Nuvodia ebooks are made available for educational purposes only to give you general information and understanding of IT issues. By reading our ebooks, you understand that there is no client relationship between you and Nuvodia. Although this ebook is intended to be current and accurate, the information presented may be changed, improved or updated without notice. Nuvodia is not responsible for any errors or omissions in the content of this ebook or for damages arising from the use of this information under any circumstances. We encourage you to contact us for specific advice regarding your particular circumstances and IT environment. 23 2014 Healthcare IT Security Checklist & Recommendations