Health IT Security |Elizabeth Snell on September 21, 2015
Strong health IT security measures are essential for healthcare organizations of all sizes, especially with cybersecurity threats on the rise. Covered entities need to ensure that their systems are current with the latest security options, and also conform with federal, state, and local standards.
The International Organization for Standardization (ISO) has a set of standards for handling IT security, and Tufts Health Plan recently conformed to the ISO 27001:2013 Standard Security Program. Everything from physical and electronic security must be considered before the health IT security audit is performed, as well as access control to human resources security and regulatory compliance.
Tufts Chief Information Security Officer Deb Stevens discussed the preparation process with HealthITSecurity.com, and said that working toward complete health IT security is critical for all healthcare organizations.
HEALTHITSECURITY.COM: Tell me about what the ISO certification means to Tufts Health Plan.
DEB STEVENS: To Tufts Health Plan, the ISO 27001:2013 certification allows us to convey to all of our constituents, and therefore our competitors, that we pay a great deal of attention to security, that we have an ongoing cyber security program, and that we care about security: we invest in it. The cyber security program is recertified every year to ensure we continuously meet the requirements.
HITS.com: What went into the preparation process to get ready for that?
DS: The preparation process for us started years ago when we built our cyber security program off the ISO 27001: 2005 standard, as well as NIST’s standards. At that time, all of the industry and all of the security regulations for privacy and security were coming out, both at federal and state levels. All of those states have unique notification and privacy laws as well. Rather than waiting for new laws and regulations to come out and then reacting, we chose to be proactive and map out our program based on the ISO 27001: 2013, or the earlier standards, and conduct a quick map and gap as new regulations came out.
This process took a number of years to build out the program, and then four years ago, we started mapping out the framework and preparing to get certified.
HITS.com: What advice would you give to other healthcare organizations that are maybe working toward their own certification?
DS: Start by mapping their current practices against ISO 27001:2013 to get a baseline of where your cyber security program is and start the process based on risk. This way, you have a better understanding of the data, programs, processes, and documents that are already in place and can then make thoughtful investments based on risk, budgets, etc. to become certified.
HITS.com: What was the greatest challenge for Tufts Health Plan in working toward the ISO certification?
DS: ISO 27001:2013 certification requires that you have an internal audit performed by a third party and while we were successful in identifying the best partner for Tufts Health Plan, we also had to work internally to identify the right team members to assist and respond during the internal audit phase. Finding that appropriate third party partner could be a challenge for other organizations.
HITS.com: What do you think are top issues right now for healthcare organizations in terms of their data security?
DS: Advanced persistent threats, or APTs, on end points, such as your desktop is a top issue. So often today, people – end users or anyone who has access to a computer – become an unwitting part of an attack. You get an email that looks like it’s from your friend, your bank, or a company you’re buying something from, and when you open it, your machine is being infected by malware that intends to steal data. This is similar to many of the attacks that have been in the news as of late, which is really part of a daily news cycle: who got hacked today?
So, advanced persistent threats and end users not knowing the role they play are both key issues.
HITS.com: What are key takeaways for healthcare organizations following large-scale data breaches, such as Anthem?
DS: It depends on the breach itself. If it’s a breach where something has gone wrong, for example, that could be a result of not investing in security. If someone has a laptop or other mobile device that is not encrypted and they lose it, then there’s a breach, and that’s a poor demonstration of due diligence, which could have been avoided by simply spending $50 to encrypt it. That’s one end.
On the larger end, and I think it’s highlighted every time a major breach occurs, there are entire groups of “soldiers” who do nothing but try and hack into companies, like with Sony, and the same can happen to healthcare organizations. When those types of people want to invest in the resources needed to access your data, that’s difficult to combat and plan against. Managing risk while enabling business and proactively monitoring, is key to any cyber security program.