Tag: Kim Lennan

Bridging Communication Between Privacy and IT Security in Healthcare

Kim Lennan
Kim Lennan

Guest post by Kim Lennan serves as director of healthcare markets for Hexis Cyber Solutions.

The cost of IT security data breaches in the highly regulated healthcare industry is staggering, as it tops even the likes of financial services market. No one is immune. Nearly 94 percent of medical institutions report that their organizations have been victims of a cyber attack, according to findings by the Ponemon Institute. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, signs of increasing expenses are again a reality. The annual cap on fines for security breaches has also skyrocketed from a maximum of $25,000 per year to $1.5 million.

With breaches in healthcare spanning from insider, nosey-neighbor snooping, to external, cyber-threats, such as malware, there is an obvious urgency for detection and remediation solutions that engage not only the hardened perimeter, but also the soft center, spanning all the way out to the ancillary systems which at once stood alone, but are now networked and part of the entire electronic healthcare ecosystem.

Establishing a single, integrated, active defense approach to bolster your security posture and mitigate insider breach, as well as cybercrime in healthcare, begins with a motion to break down internal barriers. Organizations need technology and organization leaders who champion a bridging the gap between the two influential and liable, yet often un-collaborating services providers responsible for protecting these domains: Privacy and compliance and enterprise IT security.

Coordinating the effort to monitor networks and applications to achieve a greater understanding of risky behavior is a giant step toward detecting early indicators of compromise and strengthening the weak links in your security practice. We recommend an assessment of the often overlooked, non-standard variety of electronic data carriers, which can fall into the category of the “Internet of Things,” those medical device end-points, video surveillance systems, x-ray machines and call contact systems. These must be treated as part of the entire electronic ecosystem to achieve a greater degree of data protection. They carry patient health information (PHI) and even intellectual business property, and are largely unprotected by traditional intrusion detection solutions. While often perceived as immune to breaches, they represent readily available ports of entry for an attacker.

A unified approach to end-user education and monitoring for early breach detection that fosters risk mitigation requires tight coordination between privacy and IT security.  The challenge is in how. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach, as neither side is able to understand the full spectrum of the threat without the others’ data. Let’s take a look at a couple of examples.

Continue Reading

Reducing Risk with a Practical Approach to Patient Data Management

Patient Data Management

Guest post by Kim Lennan, Director of Healthcare Markets at Sensage

Healthcare organizations of every size face a growing number of threats and regulations associated with patient data management. Pharmacies must be on the lookout for falsified prescriptions issued to employee family members. Hospitals must track access to patient records, from both inside and out, to identify individuals trying to gain health details about a celebrity, a neighbor or family member. Network connections must be analyzed to pinpoint situations when passwords have been compromised or mobile devices have fallen in the wrong hands. Finally, meaningful use Stage 1 requires the identification of devices, systems and applications that are dormant or redundant.

To address these scenarios, IT teams must establish monitoring capabilities around a disparate set of systems and activities. This leads to incredibly manual, risk-prone event data collection, correlation and analysis processes across clinical and non-clinical sources, which discourages most IT teams from even taking the first step.

A successful event data management initiative provides three important benefits, which are often overlooked:

  1. The ability to understand patterns and establish baselines by which risk can be measured against. When you know what “secure” activities look like, you can create alerts when an unusual activity exceeds acceptable boundaries or thresholds. For example, if you know a set of workstations are not used during the hours of 11 p.m. to 4 a.m., you can easily set up a notification when a flurry of activity takes place on one of them during that period.
  2. The much-needed context to drive better policy creation and compliance. If you are able to demonstrate events that create risk, you are more likely to drive understanding with users and influence appropriate behaviors. For example, correlate data from your time management system with log-out details on a shared workstation to identify high-risk individuals who fail to log out when they go off duty, leaving that system open to compromise.
  3. The valuable insight needed to investigate a breach or establish compliance with internal or external regulations and policies. All too often, the data that can tell the story was either not collected or is impossible to analyze after the fact. In cases where an incident or breach spanned more than 90 days, most organizations have no historical perspective to review, which could prove a non-event.

For greatest success, security practitioners, auditors and compliance teams will need to align around processes that aid their shared efforts and actions. Here are some must-haves that need to be in place — or at minimum discussed:

A healthy, sustainable data management initiative starts with a single version of the truth. When everyone is looking at the same data, there is an increased likelihood that anomalies will be spotted and risks can be detected more rapidly. Here are some of the capabilities to look for:

There is much we are learning every day when it comes to protecting patient data, and – to evolve – we must adopt new disciplines and continuous improvement around risk monitoring. We applaud Cerner, our innovative partner, and customers like Adventist Health Systems, who are breaking new ground with the “science of risk management” and developing a centralized approach to the systematic inspection across their clinical and non-clinical landscape.