The Equifax disaster is front-of-mind for many of us in the security world. But don’t assume that this type of breach is limited to the financial and consumer worlds. Did you know that health care was the second most targeted industry for cyber criminals last year? And the number of incidents is growing exponentially. In the past, CEOs would leave data security to IT, but not anymore. Considering the legal liability and reputational damage associated with a breach, it is imperative that CEOs maintain awareness of their organization’s security posture, and that means regular reviews of data security reports.
Most CEOs juggle many topics in the board room: financial performance, strategic imperatives, competitive pressures, service delivery issues, etc. Increasingly, security is on that list. This does not mean that the CEO needs to build the data security plan, but he/she should be able to speak to it intelligently. The best way to do this is to schedule regular briefings utilizing easy-to-read dashboard reports that focus on three areas of threat concern: physical, technical, and administrative.
Physical safeguards protect the infrastructure and controls in areas where sensitive data, such as PHI, is stored. Those areas may be data centers, server rooms, or employee workstations. Physical threats may include natural disasters. During hurricane season for example, security briefings might refer to the plan to preserve and make available patient data in case of a power outage, a flood, or both. Metrics could include:
- Security assessments completed
- Types of mitigating controls deployed
- Control test scores
Technical safeguards center on technologies and controls used to logically protect PHI, including system design, firewalls, encryption, intrusion detection/prevention software, and automation. These safeguards must cover a broad range of current and potential threats, from denial of service attacks and IP spoofs to network sweeps and phishing attempts. The security briefing should include:
- Number/types of incidents the company experienced
- Industry threat trends and vulnerabilities
- Lessons learned from others
- Results of internal vulnerability tests (phishing simulations/penetration tests)
Administrative safeguards include policies and procedures designed to prevent security incidents. For example, new employees should be trained on Internet and email policies to avoid falling for “phishing” scams that could unlock the organization’s network to cyber criminals. Note: the major breaches in health care in 2017 were from phishing scams, not outside hacks or cloud usage.
And speaking of cloud, I would be remiss if I did not address the fact that over 80% of health care data will be in the cloud by 2020. A cloud-based system that actively monitors security and compliance levels throughout an organization’s IT environment can give health care leaders a sense of the current threats and what steps are needed for remediation. And to increase physical security, PHI management/security can be offloaded to health care-specific security experts who host the data in cloud services that comply with stringent security protocols. Administrative security, however, remains the province of health care organizations; but even here, an objective assessment by an outside expert can serve a CEO well.