Healthy Defense: Avoid Becoming the Next Data Breach Headline
Anthem, Community Health Systems, New York Presbyterian Hospital/Columbia University Medical Center. These are just a few organizations out of the hundreds that have made headlines due to breaches of patient health information. With health data now considered 10 times more valuable than financial data, such cases will continue to pervade the news cycle.
Rather than become the next notorious example of a massive data breach, many organizations are moving their data—and management of it—to the cloud. Before you take the same step, be sure you partner with the right cloud provider, one that practices a multi-layered, defense-in-depth security strategy that includes the following:
Physical – Entrust your data only to top-tier data centers with 24/7 perimeter sensor-monitoring and badged or biometric entry into secure areas.
Network – While this layer is generally present in healthcare organizations, one or more areas are often out-of-date if managed internally. Look for cloud providers that use enterprise-grade hardware, advanced firewall configuration, SSL VPN security, intrusion detection and prevention, and threat management response.
Application – This layer can be easily exploited if secure coding practices, code reviews, change management and code versioning are ignored or done improperly. A top-tier cloud provider will abide by sound change management principles and provide tools to enable application firewalls, provide patching support, and deploy regular system vulnerability scans and malware protection.
Data – Data security often is the primary focus of security efforts even though security at all layers is important. Items of concern include backup, at-rest and in-transit encryption, retention, destruction, archiving, security information and event management (SIEM), and lifecycle management.
Server – Ask your cloud computing provider what it does to monitor file integrity, patching, role-based access controls, SIEM and proactive vulnerability management.
Devices – This is often the Achilles’ heel for internal security because many devices are outside IT’s control. Talk to your cloud provider about securing data from mobile and medical devices, and discuss BYOD policies and best practices.
User – This is the most difficult to manage because it requires changing behaviors rather than simply upgrading technology. It involves using two-factor authentication, preventing social engineering and performing ethical hacking as well as corporate policy and continuous education.
As the last line of defense, healthcare organizations need to make data security a high priority. They can do so in a way that offloads much of the daily responsibilities to a cloud provider that already has the mechanisms in place. And that’s good news for everyone.
Contributing Writer: Chris Bowen is chief privacy/security officer and founder of ClearDATA, which provides HITRUST CSF-certified, HIPAA-compliant cloud computing used by more than 300,000 healthcare providers to store, manage, protect and share their patient health information and critical applications.