By Philip Jones, Mazars, Director of Security – Chief Information Security Officer (CISO), Data Privacy Officer (DPO) for Healthcare
The need for effective and quality healthcare services has never been more apparent than during the global COVID-19 pandemic when our health infrastructure was put to the ultimate test. We learned that these life-critical services need continual technology investment to meet evolving patient needs, such as the exploding demand for telehealth solutions we’ve seen in the last two years. However, increased technology brings increased data privacy concerns, especially in legacy healthcare systems, as cybercriminals look to exploit vulnerabilities within patient data storage.
In fact, according to a 2021 Verizon Data Breach Investigations Report, the health industry is one of the sectors experiencing the highest amount of data breaches. As of mid-February 2022, there have already been almost 500 confirmed health care breaches.
One initiative meant to combat this is the Health Information Trust Alliance (HITRUST), a commonly accepted and highly recommended security framework that guides organizations on establishing controls to meet regulatory compliance and build a security program to protect operations from attacks. It was founded to help organizations secure operations, manage risk, and solve nuanced issues plaguing today’s healthcare industry. HITRUST demonstrates healthcare compliance along with a NIST risk score that effectively measures IT operational risk and guides organizations to improve their overall security posture.
An organization can demonstrate its compliance with HIPAA and other laws through HITRUST certification. Here are a few key areas to address when preparing for a HITRUST certification, which can help your organization stay prepared and protected from the onslaught of cyberattacks against the healthcare space:
- Multi-Factor Authentication (MFA). You will be hard-pressed to find a cyber-insurance carrier that provides a policy without MFA. MFA requires a UID/PW and a second verification to sign in, typically through an application, phone, or email. MFA will need to cover remote user access, remote access email, all privileged accounts, and insurance companies are starting to require MFA to access backups.
Pro Tip – Email notifications can cause access problems. When possible, use a phone application such as Microsoft Authenticator for a higher level of security.
- Monitoring and Detection. Suspicious activities on systems, networks, and security devices are correlated and analyzed to detect possible attacks and prevent or reduce damage to operations.
Pro Tip – With most covered entities low on staff and technical expertise, consider hiring a managed security service provider (MSSP) with a retainer for digital forensics in the event of an incident.
- Breach Incident Response Plan – An incident response program will cover detection, notification, communication, and coordination. Training and clearly defined responsibilities are essential in any response plan.
Pro Tip – Perform regular tabletop exercises with different groups within the organization and your outside consultant to build awareness and confidence.
- Backup and Disaster Recovery – Regularly backup copies of information and software and tie them into a disaster recovery plan. Completing a business impact analysis (BIA) and including standard operating procedures (SOPs) to bring systems online is also an essential part of this process.
Pro Tip – Hire a firm with expert knowledge to help build a cloud-based solution. A solid business continuity plan using a cloud service provider will dramatically reduce complexity and response time.
Cybersecurity concerns and data protection should be top of mind for healthcare organizations, and it is essential to reassess current cyberattack prevention measures as often as possible. Becoming HITRUST certified is only one part of a complex cyber protection puzzle, so it is essential to consult with an advisor to ensure you are effectively protecting your patients’ data.
About the Author
My name is Phillip Jones and I am the Director of Security – Chief Information Security Officer (CISO), Data Privacy Officer (DPO) for Healthcare at Mazars U.S. I have built multiple privacy programs ranging from startups to major international organizations. I have guided multiple board of directors through tough and complex compliance of security and privacy regulations.
Prior to joining Mazars US, I held several leadership positions in Privacy/GDPR, U.S. regulatory compliance, and cybersecurity of both prestigious consulting firms and technology organizations, including U.S. Navy Intelligence, IBM and Booz Allen & Hamilton.