The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to keep sensitive patient data safe.
Its security rules have been published since 2003, and yet, nearly 35% of reported data breaches in 2016 happened in the healthcare industry.
It is no secret that security healthcare data is becoming more of a challenge and as the Health and Human Services Office for Civil Rights commits to proactive HIPAA audits in 2017 and beyond, it’s becoming more critical to ensure that you are collecting the security information you need, both to provide the best possible security and also validate your compliance status.
Why is Security in Healthcare So Challenging?
Whether it’s a large hospital with a well-staffed technical team, or a smaller organization with a single IT person, there seems to be one prevailing mindset—“focus on patients and keep systems running” rather than “maximize security.”
One of the unique challenges with healthcare and hospitals is the sheer volume and type of data that needs to be collected to support compliance and overall security.
Providers are also becoming more connected, with little vulnerability mitigation in sight. Even in the case of small organizations, there are many nuances to consider. Many different sub-entities have different requirements from a networking operations standpoint:
- Varied use of electronic health records impacts traffic volume
- External data collection in some departments
- Consumers and employees require bandwidth for personal use
- Some departments have zero connectivity outside of a single room and require fewer IT resources.
Fluctuating operating requirements across departments gives network admins plenty to worry about without trying to maximize security efforts. In large organizations, performing security monitoring of large volumes of network traffic becomes time-consuming, complex, and expensive.
Up until last year, there hasn’t been much of a threat of compliance auditing from Health and Human Services (HHS). There weren’t any repercussions for lackluster cybersecurity other than fines for a data breach – if one occurred. They have now said that they will continue to do proactive auditing of organizations on an ongoing basis. This means anyone could be audited at any time and they should all expect it to happen at some point.
Now that HIPAA audits are a real possibility, organizations of all sizes have to take control of data sprawl within their organizations and keep track of who has access to PHI and monitor its use.
How Do You Get the Data You Need?
Keeping systems up and running is the difference between life and death in the healthcare industry. But as hospital IT departments focus on performance, security still needs to be top of mind. The complexities of networks needed in healthcare all add to the challenge of collecting the data you need to get HIPAA compliance. A few of the key data points that need to be collected are:
- Network traffic to analyze. Sounds simple enough, but there are a lot of packets on even the smallest network
- Threat intelligence data – usually from vendors, partners or organizations that publish this
- Context data – why did Bill from accounting just log into his computer when he is on vacation this week?
Logs and events are essential for every critical and non-critical component in your environment, even a receptionist workstation. Logs are a permanent record of something very simple that happened to a device. On a firewall, logs will tell you what sessions were established, who has logged into the device, and who has made changes to it. In directory services, logs will tell you when new users were created, accounts disabled, administrative privileges granted, and all essential data when talking about security.
Analyzing network traffic sounds simple until you think about how many packets are flying around on every device. It’s best to monitor your internet ingress/egress traffic, but even that poses challenges:
How Many Physical Interfaces Pass Traffic in Your Firewall?
Multiple internal segments, servers, DMZ, more?
Do You Have Redundant Firewalls that are Cabled to Multiple Switches?
You need to monitor each link, to ensure that you are still capturing data when they fail over
How Are You Analyzing Network Traffic?
Most switches only support 1 or 2 mirror ports
How Much Traffic is There?
Intelligent IDS takes a great deal of resources (CPU) to process packets, can you handle it all?
How Much Guest Traffic Do You Have?
Think about how many users might be in a single hospital using Guest Wireless to browse Facebook. That is a lot of traffic that doesn’t need to be analyzed.
Evaluating Your Options
You need to arm yourself with the right tools to access data and resources to manage them. If you need help in this arena, give us a call, for a free consultation or discussion on the best security options.
Not ready for that step? Here are a few pointers to get started:
Log Collection Analysis
To handle the log collection analysis and meet your HIPAA compliance requirements, you need to get a Security Event and Information Management (SIEM) tool. There are several out there that work well (Kiwi will not work for this), but the most important thing with any SIEM is to get a handle on what data you want to collect, what is the volume and how you want to analyze it. This will help you find the right tool and size it properly to handle the data you want to collect.
Also, know how long you have to keep the data – it adds up quickly and can be expensive to store. Keep in mind that all log data is not created equal and some have no compliance value. If you want to collect all of your server error events and non-security operational logs, send them to an ELK stack. That will be far cheaper.
Network analysis requires its own set of tools as well. In most cases, we are talking about feeding data to a dedicated Network Intrusion Detection System, full packet capture tool, or something that is network-aware. Mirror ports on switches can suffice for getting data to these tools, but the answers to the question above all play a big role. Typically, you need something like a network tap and/or packet broker. These allow you to physically get in the middle of multiple network links, aggregate them into a single appliance, and send the packets you want out to multiple network appliances.
How Sedara Can Help You
To learn more about our MSSP approach that focuses on the healthcare industry, simplifies security, and adheres to HIPAA compliance, contact us today.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.