Unauthorized access and use of protected health information is the most profitable crime in the USA: Are you fully prepared to combat? [Part-2]

Password Manager Pro | March 13, 2012 | 3 min read
In the previous post , we analyzed the magnitude of medicare fraud, protected health information stakeholders and their responsibilities. Let us now examine the causes and discuss how to combat:

Protected Health Information – Threats & Vulnerabilities

Threats for protected health information emanate both from external attacks and internal sources.

External Attacks – Health care enterprises come into contact with a variety of people in a variety of ways.  Sensitive information and IT resources need to be exposed or shared with partners, agencies and even customers. All these make the enterprises vulnerable to data breaches and cyber-attacks from amateur and expert hackers.

Internal Threats – Threat to information security does not always develop from outside. It could well be generating right inside the organization. Disgruntled staff, greedy techies, tech-savvy contractors and sacked employees could act with malicious intent and misuse privileged access. Even untrained staff could unintentionally unleash a disaster. The business and reputation of some of the world’s mightiest organizations have been shattered in the past by a handful of malicious insiders.

Researchers point out that more than half of data breaches involve the participation of an insider, but only 10% are unintentional – whereas 90% are deliberate and malicious and usually involve misuse of privileges.

How to combat?

Preventing or detecting a breach requires that effective policies, procedures, and technologies are in place. Without proper technology in place, policies and procedures would remain ineffective and cannot be enforced.  The CISOs, CIOs, IT security, privacy, and compliance personnel of health care organizations, who are tasked with the responsibility of protecting PHI should keep in mind the fact that the benefits of investing in technologies to prevent PHI breach, far more outweigh the potential cost involved in setting them up.

A report on “ The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security ”, created through the “PHI Project” – a collaboration of the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) – that involved a cross-section of more than 100 health care industry leaders from over seventy organizations, underscores the importance of the information security technical safeguards as required by HIPAA Final Security Rule 164.312, which includes:

 
Access Control: Protect ePHI from unauthorized disclosure

  • Allow system access only to authorized persons or applications
  • For a web environment, implement a web access management solution
  • Consider role-based access control
  • Assign unique user identification
  • Ensure the use, monitoring, and audit recording of emergency credentials
  • Establish automatic logoff and re-authentication after a period of inactivity
  • Limit access to encrypted applications to those who can decrypt the data

Integrity of Audit Controls: Protect information from alteration or destruction

  • Implement mechanism to authenticate ePHI
  • Implement methods to corroborate that information has not been altered or destroyed

Transmission Security: Protect ePHI that is being transmitted over a network

  • Consider encryption for best protection and safe harbor
  • Ensure strong encryption up to 2048 bits (asymmetric) and 128 bits (symmetric)
  • Verify data integrity with digital signatures or SSL certificates

The recommendations of the PHI project to secure PHI lay stress on the following technological aspects, in addition to the procedural and policy enforcement:

  • Risk management (risk identification, threat analysis, etc.)
  • Asset management (physical and information)
  • Identity management (user IDs, passwords, etc.)
  • Vulnerability management (secure configuration, patches, etc.)
  • Operations management (logs, laptops, desktops, change management, network, mobile devices, removable media, etc.)
  • Information protection (encryption, key management, etc.)
  • Threat management (intrusion detection, incident response, etc.)
  • Security control testing (penetrations testing, audits, etc.)

Multi-pronged Strategy – Need of the Hour

Combating sophisticated cyber threats involving protected health information mandates a multi-pronged strategy incorporating a complex set activities including deploying security devices, enforcing security policies, controlling access to resources, monitoring events, analyzing logs, detecting vulnerabilities, managing patches, tracking changes, ensuring compliance, monitoring traffic and other activities.

 

ManageEngine has a range of affordable Enterprise Security Management Software Solutions that help you build a secure fortress enabling you to protect PHI, stay secure, ensure business continuity and enhance productivity.

ManageEngine IT Security & Compliance solutions aid in:

  • Network Security Management
  • Network Security Audits

  • User Account & Rights Management
  • Security Information and Event Management
  • Privileged Access Management
  • Regulatory Compliance
  • Internal Controls

Try

Disclosure: ManageEngine has co-sponsored the “ Protected Health Information (PHI) Project ,” an initiative launched by the American National Standards Institute (ANSI) to evaluate the financial impact of unauthorized access to Protected Health Information (PHI). This blog series draws information from the report “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security”.

Bala
ManageEngine IT Security & Compliance Solutions
Quick Video | Free Trial Download White Papers   | Success Stories

Tags : health care / healthcare / HIPAA / internal controls / IT security / regulatory compliance
V Balasubramanian