“The wonderful thing about standards is that there are so many of them to choose from.”
— Rear Admiral Grace Murray Hopper, pioneering computer scientist
Despite HIPAA’s security rules imposing restricted access to electronic patient information and increased recent pressure from the ICO on the NHS’ data protection practices, IS Decisions’ latest research has found several reasons to worry. Contributing to the report, Derek Brink offers insight into what healthcare organizations can do about the complexity of compliance.
The transformation that information technology (IT) has made on contemporary society — from the time that Grace Hopper was programming the first modern computer (IBM’s Mark I, at Harvard University) in the mid-1940s, to the present day — simply boggles the mind. And this transformation has continued and accelerated, with the recent waves of disruptive information technologies such as mobility, social collaboration, virtualisation and cloud computing, big data, and predictive analytics, to name a few.
Information security has tried to keep pace with IT, with the result being a rich and complex array of security technologies that solution providers have already made available, and which continue to be introduced. On the one hand, the result of such innovation and investment is a testament to the importance of the information security problem. On the other hand, having such an overabundance of options can make it painfully difficult for the security team in any given organisation to sort through all of the alternatives, and to make the necessary choices for the mix of controls that represents the best fit for their specific context.
Add to this the complexity of compliance, where security and privacy requirements from multiple regulatory authorities have to be understood, interpreted, and applied by every organisation, in the specific context of their systems, their applications and data, their users, their industry, their mission, their strategy, and their appetite for risk.
With a nod to Admiral Hopper, the wonderful thing about security-related compliance requirements is that there are so many of them to choose from.
Out of these multiple layers of complexity — which some in the information security industry have referred to as “the fog of more,” and which has also been written about as “the paradox of choice” — there has recently been a strong movement towards simplification. One example is the so-called Critical Security Controls movement, which aims to use the power of community to identify a small number of security controls that are proven to have a high payoff in terms of preventing known attacks.
Another excellent example is this guide, which aims to describe a set of basic security practices for healthcare organisations that will not only help to safeguard sensitive patient data, but also to satisfy an array of overlapping compliance requirements from the United States (the Health Insurance Portability and Accountability Act, or HIPAA) and the United Kingdom (the Data Protection Act).
My own view is that such lists are not a recipe to be blindly and strictly followed, but rather a needed, welcome, and much quicker path to considering the successful choices that others have made — which organisations can then adapt in the way that works best for their own environment.
Derek E. Brink, CISSP – Vice President and Research Fellow, Aberdeen Group, Adjunct Faculty, Brandeis University and Havard University
Safeguarding data beyond healthcare compliance
Potential security shortfalls the research has revealed.
- Over a third of healthcare workers do not have unique logins.
- Two thirds of healthcare workers have the ability to log on to different devices and workstations concurrently.
- Over 60% of healthcare workers have no automatic logoff from the network after a set period of inactivity.
- Less than half of all healthcare workers receive IT security training or sign security policies upon starting their job.
- Though security remains an issue in healthcare, 82 percent of healthcare workers have access to patient data.
In response, the report proposes five areas in which organizations can take action to safeguard data.
- Onboarding new employees. The steps taken with new staff.
- Implementing security procedures; People related processes to protect access to electronic protected health information.
- Securing network access. Technology’s place to minimize the risks from employees and decrease the surface area vulnerable to attack.
- Data access and necessity. Levels of access control needed to maintain confidentiality of data records whilst ensuring prompt access to ensure proper delivery of care.
- Moving jobs or role changes. Requirements to address access when employees move role or leave an organization
The aim of the report is not only to help organizations meet compliance, but to reach beyond it by implementing granular security practices that mitigate the risks pertaining to patient data and other sensitive information that healthcare organisations must safeguard.