People who get paid to try to break into information systems are in a great position to give advice. Here at Redspin, Inc., a company of "ethical hackers" and IT security consultants based in Carpinteria, Calif., we've found that the healthcare companies most successful at safeguarding electronic information tend to follow these five best practices. These recommendations are based on years of Redspin's IT security assessment consulting work with dozens of leading companies.
1. An organization-wide commitment to strong security
A complete Information Security Program (ISP) cuts across the entire enterprise, not just the IT department. It also includes items such as facilities availability and contingency, disaster preparedness, employee safety and human resource confidentiality.
2. A view of IT security as a competitive advantage
Savvy companies understand that in ever increasing amounts, the heart of an enterprise is found in the proper collection, storage, communication, availability, integrity and protection of electronic data. Security best practices leaders view protecting that information as a competitive advantage. In contrast, companies that experience IT security breakdowns are subject to damaging consequences that can limit competitiveness, such as:
* Reputation damage, loss of customers, negative media reporting and mandatory breach notifications
* Large monetary penalties from regulators
* Theft and/or misuse of the data itself
* Legal expenses dealing with affected customers/business associates/vendors
* Loss of mission-critical IT systems including web applications, business associate networks and internal networks
3. A sharp focus on security policies and processes
Having the latest and greatest array of technical "gear" such as firewalls, wireless infrastructure, virtualization and vulnerability management software appears to lead to a false sense of security in many cases. The best gear can be compromised without well-documented security policies and procedures that are rigorously followed and periodically updated, and the discipline to monitor and measure compliance to industry best practices such as ISO 27002.
4. Include business associates and partners in EHR security programs
As the exchange of electronic health information becomes more pervasive, the Department of Health and Human Services has made it clear that all entities in the chain bear responsibility for safeguarding electronic data. A breakdown anywhere in the chain affects all entities, both practically and legally speaking, and even a business associate's breach of electronics health records may require the notification of the customers/patients of all entities with access to the data. Successful organizations collaborate with business associates on the implementation of security programs and revise contracts to include data security/compliance requirements, breach notification costs, independent security assessments and other related issues.
5. Regularly conduct independent security assessments
The IT security environment is becoming ever more complex; safeguarding it is a dynamic endeavor that requires constant vigilance. HIPAA law requires covered entities to conduct routine evaluations of the effectiveness of records security programs, policies and procedures. An independent security assessment can evaluate security against potential risks in a format compliant with HIPAA Security Standards, even including business associates and partners with whom health data is exchanged. A high quality security assessment will:
* Maintain independence from the sales and management of IT products, equipment and tools
* Identify security vulnerabilities according to levels of risk (high/medium/low)
* Provide specific recommendations on how to address security concerns
Redspin delivers independent Information Security Assessments through technical expertise, business acumen and objectivity. Redspin customers include leading companies in industries of healthcare, financial services and hotels, casinos and resorts, as well as retailers and technology providers.
