According to the datalossDB.org, over 110 healthcare organizations have reported the loss of sensitive PHI and/or PII data affecting 5,306,000 people since January 1998. Over 40 percent of the losses were related to theft of laptops, tapes or other media. Another 27 percent were the result of loss or negligence by staff or third parties. Malicious insiders were responsible for 20 percent and 9 percent were related to external attacks, with the remaining 2% unknown. Given that the problem is highly likely to grow with the advent of greater information sharing through systems such as healthcare information exchanges (HIE), it is critical to apply security resources effectively and efficiently.
While external attacks often get the headlines, clearly the data shows it is only a small part of the problem. Outlined below are a few recommendations associated with key security areas to get right. Focus on these areas will help prevent data loss, save money in terms of compliance violations and in the end create value through systems that securely support the mission of the organization.
• Policy – Invest up front in analysis of policy requirements. Ensure the policies support both security and business goals. Guard against policies that are not enforceable. Complete a review of the policies with a trusted security assessment firm. Budget for training and awareness when rolling out the policies.
• Encryption – Use it with all PII and PHI data. Do not “roll your own”. Build on the wisdom of others and the vendor community. Spend time to architect and review your key management scheme. Make sure it is supported across the entire lifecycle of the data.
• Authentication and authorization – This provides a critical defense layer against attackers and malicious insiders as well as provides a critical mechanism that drives ease of use (and thus productivity). As with encryption don’t to be tempted to roll your own because you have “special needs”. Use vendor solutions that have been well tested or open standards from organizations such as OWASP (ESAPI).
• Third party assessment of the overall system – Invest in an information security assessment from a trusted vendor with healthcare domain expertise. The investment will pay back in terms of reduced cost of compliance, data breach penalties avoided, and value delivered to the users of the system.
• Change management – Ensure the change management process is well understood. Functional testing is a given, but security controls and policies must be thoroughly checked with each release (whether major or minor).
Clearly, there are many additional security concerns, but focus on these areas should yield high return in terms of the value of your system and the protection of your data.