Healthcare News & Insights

Avoid breaches: Layered security & privilege access controls

Preventing cyberattacks is incredibly difficult, but industry experts point to two important ways providers need to shift their security to have a better chance of protecting patient data. 

ThinkstockPhotos-474582012It’s no secret that cybercrime against the healthcare industry continues to grow, but new research is giving providers some idea of who’s behind the ongoing assault on patients’ protected health information (PHI).

As a result, providers and security experts are beginning to see how the industry needs to evolve to address the growing threat from hackers.

Layers and layers of security

One of the most important strategies to guard PHI is to have a system with layers of security tools, Chris Bowen, founder and chief privacy and security officer for ClearDATA, a cloud-based storage provider, said in an article for Healthcare IT News.

Bowen cites recent research by IBM which shows that a lot of cybercrime involves highly organized groups and market forums.

These groups and individual hackers are usually able to infiltrate systems because much of the IT infrastructure in facilities is outdated and inconsistent with its security.

That’s why having multiple layers of security is so important. While tools may not completely prevent a hacker from gaining access, having multiple defenses set up gives providers more time to identify and delay the hacker from reaching the most valuable data and assets.

However, since many organizations don’t always have the resources to set up and monitor layers of security, more leaders are getting help from cloud-based storage systems.

What should leaders look for in a cloud vendor to know they have effective security in place? Bowen recommends looking for a vendor with:

  • a strong healthcare-exclusive focus
  • proven HIPAA compliance
  • HITRUST certification
  • an onsite privacy and security officer with experience and credentials
  • documented security policies and procedures, and
  • layers of physical and infrastructure security.

Regular privilege access management

However, multiple layers of security won’t help facilities if hackers can access administrators’ authorization credentials, like they did in some big-ticket breaches this year.

That’s why leaders also need to shift their operations and culture to limit access to systems, said vice-president and chief information and security officer Sudhakar Gummadi of California-based Molina Health.

In an interview for Information Security Media Group, Gummadi said the recent changes to the security landscape has made privileged access management essential to limiting a hospital’s risk for breaches. Once hackers have a sense of who has full system access and how to steal credentials (often through email phishing schemes), they can bypass other security measures and steal PHI.

Administrators with 24/7 access to sensitive data should use that access sparingly, Gummadi says. Additionally, controls should be in place for servers, infrastructure, firewalls and routers, as well as other potential access points if possible.

“Privileged access needs to be controlled in your environment, and it should have checks and balances, and only be given on a need-to-know basis. Good controls in place won’t eliminate the risk, but will minimize the risk,” Gummadi says.

While there are technologies out there that can help hospitals, these technical safeguards likely aren’t enough. Gummadi believes hospitals need to make a cultural shift as well, especially since some administrators have become used to their access privileges and may not understand the need to suddenly limit access to systems.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.