IT risks that health care firms shouldn't overlook
Network safeguards that can be put into place to prevent illegal access to confidential information
Health care companies have to consider the Healthcare Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act within all of their daily transactions, particularly while handling personal health information (PHI) and electronic PHI (ePHI).
While managing sensitive patient data, three important factors need to be considered by all health care businesses: physical, network and process security procedures.
While the physical security procedures might seem more apparent or intuitive, it’s the network security procedures that either inhibit or aid those with criminal minds trying to access PHI and ePHI. Here are some of the network safeguards that should be considered and/or put into place to prevent unlawful hands getting access to confidential information.
• Patching: Patching your servers and PCs with automated security updates is a critical security control that is all too easy to overlook as it often happens in the background and without the user’s knowledge. Many cybercriminals will look for unpatched vulnerabilities to exploit and gain access to systems. This is often the method used to infect users who visit a website with malicious code embedded in an ad.
A solution is to use an automated patching tool or service to ensure security updates for operating systems and common applications are updated on a regular basis.
• Backup: Backup of your data has taken on more importance than ever with new threats like ransomware. Be sure your backups are running and secured off-site. Not only do you need to protect data from a hardware failure loss or natural disaster, but you also need to protect it from a cyberattack, which could encrypt that data. Your options are to restore from a good backup or pay the ransom which is now escalating into extortion.
A solution is to use a business class backup, not a USB drive, for example, and regularly check to ensure the backup is working. Also be sure that backups are stored off site in an encrypted format to minimize risk of a data breach due to lost or stolen backup media.
• Unsupported OS: In the past two years, Microsoft has discontinued support and updates for the two widely used operating systems, Windows XP for desktop PCs and Windows 2003 for servers. That means new vulnerabilities will be found by criminals in these operating systems. Even with patching in place, there will be no updates to apply, which places your system at the mercy of potential attackers. It is also highly likely that any security audit of your network would not pass.
A solution is to upgrade to a currently supported OS, like Windows 8.1 or 10 for desktop PCs. Alternatively, evaluate if your Windows 2003 servers’ current function could be better achieved with a cloud solution like Office 365 before upgrading to Windows Server 2008 or 2012.
• Firewall: Another critical IT asset that are oftentimes forgotten because they’re hidden in a computer room or closet. Despite the fact that they continue to work seamlessly, regularly evaluate what you have and whether it’s up to compliance standards. Most firewalls have two components – hardware and software licensing. If you have had a firewall for more than five years, ask yourself if the hardware is still supported by the manufacturer and if the licensing is current. If not, you and your network are open to unnecessary risk.
Part of annual IT planning should be understanding the age and licensing requirements of critical network components like your firewall. If you don’t know how to manage, check with your firewall vendor. A lot has changed in the past five years and it might be time to obtain a more capable and current firewall.
• Email: There is a growing requirement to encrypt emails containing sensitive personal and identifiable information as well as personal health information (PHI) from state laws to federal regulations like HIPAA.
A common data breach occurs when an email containing personal information is accidentally sent unencrypted or to the wrong party. An additional risk is being out of compliance with state laws related to securing consumer information.
If you regularly work with such information, you need to implement an email encryption solution. The best approach is to have a solution in place which will scan for the information, thereby forcing encryption.
Chad DeVogt, a business developer based in New Hampshire for Maine-based Systems Engineering, can be reached 603-226-0300 or through syseng.com.