By Montez Fitzpatrick, Director of Information Security & Compliance, Keystone IT
The introduction of the HIPAA Security Rule has thrust many newly minted security officers into roles in which they are ill-prepared. The terminology is new and the ideals are unfamiliar. One point is certain; HIPAA compliance is not the reason they got into medicine. Yet, the importance of keeping patient data confidential is well understood.
In information security it is known that regulatory compliance will not make your organization secure. It is best to think of the process as securing the organization first, and HIPAA compliance will come along with that. Here is a list of seven steps, which will help create greater security and nurture a culture of compliance. This will serve to make it simpler to meet the standards and implementation specifications outlined in the HIPAA Security Rule.
1) Create a security awareness program tailored to your workforce
Easily, the most important aspect of an information security program is to ensure the workforce is educated routinely on policies and procedures, as well as threats and mitigations to the organization. Security awareness is an opportunity to communicate which information assets are important to the organization. Also, it is a chance to educate the workforce on what normal interactions with third parties are acceptable. This education should emphasize that although the workforce is caught up in the course of being helpful stewards, bad actors will interact and take advantage of employees in a way that could harm the organization.
Be wary of picking up a package off the shelf and branding that the security awareness program. Security awareness is the lowest cost and most beneficial action done to improve the security of an organization. The importance cannot be understated. To be successful security awareness must be weaved into an organization’s culture.
2) Understand and communicate that passwords serve no more purpose than that of an electronic key
The goal of HIPAA is to facilitate the creation, transmission and use of electronic records in a secure way. A metric, which all security officers must answer, is how their organizations have evaluated the risk presented by their systems, which interact with sensitive and protected data. Many security officers are tempted to answer that those systems are secure since the system is protected via a password mechanism. Passwords are only a fraction of the overall security of a system.
Imagine there is a residential street, which resides for all intents and purposes two identical houses. A bad actor is looking for an opportunity to burglarize one of the two homes. The first house has motion lighting, landscape lighting and strategically placed security signs in the yard. The second house is not well lit and has some overgrown vegetation, which obscures some potential entry points into the house from onlookers.
Given what is known, it can be reasonably assumed that the entry doors on both houses have similar style locksets. However, there is a significant difference in the opportunity for this adversary. It could be argued that the first house has better security and, therefore, is less vulnerable than the second, even though they both are protected by keys.
That threat model does not work if the adversary targets that specific residence for some reason other than just being in the neighborhood. Protecting sensitive data from targeted attacks warrants further considerations.
3) Create data maps for sensitive information
Data maps are diagrams, which show where sensitive data is used, stored and transmitted throughout the systems in an organization. An “infographic” can bring to light previously unknown relationships between systems, which may necessitate a change in the architecture or security posture of those systems.
Creating data maps can be a laborious task. Many provisions of the HIPAA Security Rule require the organization to make judgments based on factors, which can be measured and consistent through proper risk analysis as part of a risk management program. It is impossible to have a meaningful conversation about how to protect sensitive data without knowing in all of the places that data is transmitted, used and stored.
4) Author data classification guidelines
The purpose of this document is to be used as a framework for classifying data based on a level of sensitivity, value and criticality to the organization. Classification of data will aid in determining baseline security controls for the protection of data.
Coincidentally, having this plan or guideline in place makes a lot of the provisions in the security rule slightly simpler to process. The benefits to a risk management program should be relatively evident, as it helps ascertain which data is important to protect. Some of the other measures, which become simpler, are any that deal with workforce clearance, application criticality, final disposition, and the contingency plan, which is probably the most difficult section of the security rule with which to comply.
5) Manage the lifecycle of assets which transmit, store and use sensitive data
A secret to staying sane within the world of information security is to realize that infrastructure does not matter. Servers and network infrastructure simply serve as a vehicle to transport data from a single point in time and space to another point. What is important is to protect the data at all stages, when it is created, throughout its use, transmission and storage, until it is destroyed which ends the cycle.
Thinking about security in terms of the infrastructure will lead to increased costs due to the fact that irrelevant devices are in scope and errors since there likely could be a corner case in which sensitive data exists on a device which was missed and is unprotected.
6) Ensure your compliance program is inclusive, rather than exclusive
Compliance efforts are more successful when the company at large is involved with the process at the earliest stages of the forming of the compliance initiative. Often, too few people decide the compliance strategy. Minimally, all lines of business should be represented in those strategic sessions. More often, compliance efforts are formalized without the representation of critical members of those lines of business. Consequently, the business suffers having authored a shallow interpretation of their objective. While this does ‘check’ the regulatory box, as a compliance initiative, it does not provide value to the organization.
7) Evaluate if your current technology infrastructure meets the security profile of your organization
It is sometimes difficult enough accomplishing a single objective. Managing that objective from an idea, through planning, funding, revisions, actualization and upkeep can be a tall order. Security concerns should be included in the development cycle. The reality is security is not always an ingredient to the final product. Security officers are responsible for ensuring the confidentiality, integrity and availability of those systems. Those systems must be assessed against the threat landscape and evaluated for vulnerabilities, which is no small feat. To understand how to protect the organization, the security officer must have an official position on what events or actions are unacceptable risks. Security officers need to gain an understanding of information system risk and how to manage that risk so business objectives can still be obtained. That risk needs to be normalized in such a way that it is fairly compared against other types of business risk.