Is DIY Network Security a Good Idea?
By Jason Riddle
Patients and clients count on healthcare providers, payers, and business associates to protect their electronic health records. For optimal care, patients need to feel comfortable divulging personal information that could cause them injury—financially, emotionally, and/or physically—should it be illegally accessed or corrupted by hackers or malware.
Additionally, covered entities are required by HIPAA/HITECH laws to maintain a certain level of network security. Violation of these regulations could result in stiff fines, a disruption in operations, and a general loss of goodwill among the people who do business with them.
Many small to medium-sized organizations are managing some if not all of their network security on their own. Here is one question they often ask:
Do we have enough protection for our patients’ data, or do we need to hire outside professionals to do the job for us?
While there is no right or wrong answer to this, there are a few factors that need to be considered.
HIPAA/HITECH was designed with built-in flexibility so that organizations could make their own decisions about their level of investment in network security. For example, a large organization may choose to hire an outside cyber security firm to monitor their networks around the clock, but a three-person doctor’s office might be hard pressed to put such an aggressive solution in place. Office for Civil Rights (OCR) auditors who are responsible for monitoring HIPAA compliance recognize that organizations of various sizes make decisions based on practical restraints.
As covered entities make decisions for (or against) increasing security, the reasoning and conclusions should systematically be written down. OCR auditors generally take into consideration all well-documented justification.
One way to think about whether or not to hire an outside vendor to assist with network security is to recognize that a solution doesn’t have to be all or nothing. For example, some companies will hire an independent third party to conduct an initial security risk analysis. This gives them the objectivity where it counts—identifying vulnerable areas and obtaining guidance on how to address them.
Once the fix-it plan is set, the internal IT team can assume the responsibility of maintaining the network’s security from there on out. This hybrid solution can oftentimes save money. Cyber security professionals will likely identify problems faster and provide guidance to tools that are both free and/or low cost.
If an organization is committed to a DIY network security solution — whether starting out with the help of professionals or taking it all on independently — it takes more than someone who is just an IT whiz to manage a network security program. There are six main areas that a security officer must be well versed in to carry out the required responsibility:
- Understanding HIPAA compliance. A security officer must understand the HIPAA/HITECH regulations and what compliance really means. This includes (but is not limited to) regular security risk analyses, documenting all security measures. and reporting any breaches that may have occurred.
- Securing the data. Firewalls and antivirus software are a must, but that’s just the minimum. Some of the other areas to be addressed are data encryption, regularly scheduled reviews of all logs (on the firewall and the server), restricted access, and regular data backups.
- Securing the facility and equipment. Physical access to computer equipment must be controlled at all times. Doors to the server room should be locked. When appropriate, screens should be protected from nosy passers-by. The security officer should have an eye for the logistics of the facility and areas that might pose a risk to keeping patient data secure.
- Monitoring mobile access. Decisions need to be made about how employees are able to access data from mobile devices. Types of data that can be obtained wirelessly might need to be limited, and employees will need to be aware of the whereabouts of their mobile devices at all times.
- Training the staff. A lot of security breaches are the result of human error. Everyone in the organization needs regular reminders that they are handling sensitive data and to be aware of actions they might be taking to jeopardize it.
- Understanding relationships with business associates. Responsibility for protecting client and patient data extends to everyone that has access to it. If a third party does the billing, for example, it’s critical that they are compliant as well.
A DIY network solution for healthcare organizations is not necessarily a bad idea. But it does need to be a well thought out one. Patients and clients are counting on it.
Jason Riddle is practice leader with LBMC Managed Security Services of Nashville, TN.