Information security guidelines for the healthcare industry

SecureWorks recommends the guidelines outlined below.

Security risk assessments
Performing regular security risk assessments will give your organization a much better understanding of the actual risks posed to your Protected Health Information (PHI) and Personally Identifiable Information (PII). This process will also look at the controls you have in place compared with regulatory requirements, and help you determine if there are any gaps. It will also give you an opportunity to compare your security posture with others in the industry. Recommendations made as a part of this process can be integrated into your overall information security program, keeping your security safeguards current, as well as helping your organization show diligence and a commitment to compliance.

Intrusion prevention and detection services
The implementation of IDS and IPS enables you to detect and block attempts by cyber criminals to access data on your servers and your network. Proactive alerting mechanisms and monitoring services can notify you of attempted cyber attacks and allow you to respond in real-time as a component of your Information Security Program. It is much less costly, both from a monetary and reputational perspective, to prevent a cyber breach then to be faced with notifying affected individuals and the Department of Health and Human Services (HHS), as required by the HITECH Act.

Data loss prevention
A DLP solution can help monitor your network traffic for possible leakage of PII such as social security numbers and PHI, such as Health Level 7 (HL7) codes (medical standards/procedures codes), etc.

Log monitoring
Log Monitoring centralizes and correlates audit logs from your applications and systems to allow you to identify improper access to sensitive patient data from internal or external sources. Proactive monitoring or regular reviews of logs is a key step in ensuring that your patient data is secure, as well as in meeting the short time-window required by the HITECH Act for notification of a breach.

Web application security testing and Web application firewalls
Web applications are becoming more common in healthcare environments. Due to their increasing role in the IT business environment and prevalence of security flaws, web applications are a frequent target of Internet hackers. Healthcare organizations and business associates should perform web application security testing regularly and when significant changes are made to the web applications in order to protect against current security threats. Also, the implementation of a web application firewall can help protect against emerging attacks being launched from cyber criminals.

Encryption
Implementing strong encryption policies and technologies on mobile devices, laptops, portable storage and backup tapes is key to reducing your risks with regards to improper data disclosure.