John Halamka’s 7 Steps to Prevent Healthcare Breaches
Here are 7 steps to securing healthcare data, as recommended by a healthcare CIO responsible for supporting 3,000 doctors, 18,000 faculty, and 3 million patients.
Polymath and healthcare CIO John Halamka wrote an insightful post last month, The State of Information Security 2015, that laid out the steps he and his team at Beth Israel Deaconess Medical Center (BIDMC) took in 2015 to prevent breaches at BIDMC. John sums up the security challenges of today’s healthcare CIO:
“2015 has been filled with denial of service attacks, hard to detect malware, and a skyrocketing number of personal internet connected devices at the same time that HIPAA enforcement has expanded. The traffic on my guest networks from visitors using mobile devices has exceeded the traffic on the business network. Meaningful Use requires us to share more information with more people for more purposes, but the HIPAA Omnibus Rule requires us not to lose a byte.”
So what did they do in 2015 to prevent breaches? In a nutshell, here are the 7 steps they took:
- Increased employee education efforts significantly
- Put filters on incoming email to scan every embedded URL and attachment before delivering the emails
- Added filters to prevent outgoing mail and internet traffic from exfiltrating sensitive data
- Required attestation that every device used by every person is encrypted and physically secured
- Used tools and dashboards to identify variance in device, software, and people behavior
- Increased their security staff (again significantly)
- Signed several vendor contracts in 2015 that include new liability and indemnification language protecting them against third party claims around breach issues
John doesn’t go into what technology or services they used to help achieve these steps. To be clear, there are a number of solutions that you could use to achieve these ends. But what struck me reading the post is how many of these could be effectively executed with a single approach – today’s dramatically better data loss prevention. Let’s look at how.
#1 – Employee education. The most effective employee security education goes beyond the classroom. Leading DLP solutions can provide real-time security training by popping up prompts to notify users whenever they are doing something that goes against the hospital’s data protection policies. In fact, one of our managed healthcare customers found that in the first six months of implementing this approach, they saw an 85% decrease in prompts to users, indicating a significant increase in policy awareness and secure employee behavior.
#2 & #3 – Filtering incoming emails and outgoing emails. The best DLP solutions can not only scan all incoming email for links and attachments that contain malware and prevent the exfiltration of sensitive data via email, web uploads or cloud storage, but they can also measure the effectiveness of other controls by monitoring where sensitive data is moved once it leaves your EHR system.
#4 – Attestation that every device is encrypted and physically secure. This one is most effectively handled with inexpensive disk encryption technology. But DLP can amplify your protection here by inventorying every device that contains sensitive data and configuring that device to encrypt any information that is removed from the device by any means - including USB drives.
#5 – Dashboards to identify variance in device, software, and people behavior. Leading DLP solutions can provide you with real-time reports on the movement and use of all sensitive data throughout your organization based on the data classification, the user or process, and the action. And in fact, if you go with a DLP managed security service you’ll have the support of a team of security experts going through these reports identifying anomalies and recommending process improvements.
#6 – Increase security staff. If it’s difficult for you to get sign-off for additional security hires, DLP as a managed service is an option that allows you to essentially increase your security team without adding direct head count.
#7 – Vendor contracts with liability and indemnification against third party breach claims. It’s worth noting that leading DLP managed service providers offer this liability and indemnification as part of their service agreement. If they don’t, then you shouldn’t be considering them.
If your gaps include more than one or two of these steps, DLP, especially as a managed service is worth consideration.