For years, healthcare organizations from major medical centers to neighborhood clinics have limped along with a security posture that has them lagging behind other industries. HIPAA compliance has long been the standard of best practice for privacy and security regulations.
That is rapidly changing as the healthcare industry tries to diagnose the severity of a ransomware epidemic. A recent alert warns of the potential for the “largest crime wave in modern history.”
Similarly, industries like retail, financials and utilities have had to face new security realities in the wake of denial of service attacks. While technically a different kind of security attack, the motivation is much the same. Cyber criminals are looking to disrupt operations for what has become a lucrative venture.
These industries have learned, often through painful extortion, that the standard policies, procedures and training to promote confidentiality are insufficient now that data integrity and accessibility are constantly threatened. “You need best practices that go beyond HIPAA’s check-the-box compliance, says Paul Bond, a partner in the Reed Smith law firm who specializes in IT and privacy issues.
Rather than viewing HIPAA compliance as a necessary evil, STN believes risk management should become an essential component of due diligence. Security measures aren’t merely bandaids to otherwise healthy operations, but a way to facilitate sound decision-making. A risk management program can then grow and develop over time like other business processes, resulting in greater efficiency and well-informed leadership decisions.
Brian Finch, a partner in the public policy practice of the law firm of Pillsbury, Winthrop Shaw Pittman, sees a need for “a fundamental review of how IT is set up.” Ransomware has ushered in an era where intensification of current efforts simply won’t suffice. Security must be aligned with other core values like reliability, transparency, and ease-of-use. (Read full article, “Ransomware Attacks Taking Huge Toll On Healthcare Resources”)
STN understands this new era will require significant change for CIO and CIS partners. How to set up and manage information systems is more and more a matter of business development and achievement. Gone are the days when IT security meant a secure perimeter and some basic employee training.
In terms of risk assessment, security analyst Jim Wherry, recommends that attack simulations, like technical penetration testing and social engineering, be done incrementally by a trained security professional rather than being an automated scan or system-wide process. Only then do administrators get the empirical data needed to evaluate the actual effectiveness of controls reviewed during an IT security assessment. This enables a far more granular approach. Criminals are less likely to target operations with this level of control.
For more immediate ransomware concerns, STN considers a mature and tested business continuity and disaster recovery plan to be the best defense. “A good spam filter, and security awareness training for employees can be good controls to reduce the risk of a ransomware event, but at some point organizations have to go with the assumption that these controls will fail,” says senior security analyst, Chris Akenson. “Have a sound plan and be confident that you can recover your systems fast enough. This will likely outweigh the going rate for ransom, and you won’t be seen as willing to do business with criminals by giving in to extortion.”