On Tuesday February 17th, President Obama signed the economic stimulus package that carves out $19B for modernizing health information systems.  The transition from paper to electronic or e-records in the healthcare industry has been happening for some time.  Although in small numbers, the process has been slow to ramp up based on technology considerations and the know-how needed by the organizations’ staff to work the new systems.

The Citizens’ Council on Health Care gave its official comment… “The economic stimulus bill passed by the U.S. Senate today will threaten the lives, security and privacy of American citizens.” The contention from a security and privacy standpoint is that the bill 1) doesn’t notify patients against unintentional release of e-records made “in good faith,” though it requires notification if a data breach occurs, and 2) doesn’t protect patient data from government access or agendas since HIPAA does not provision for privacy.

With identify theft scams on the rise, there could be serious risks for healthcare organizations moving to e-records without understanding what security technologies and measures need to be enacted first.

So with the stimulus package signed, efforts across the industry will be kicked into high gear as organizations start rapidly moving patients’ records online. There are three core security considerations healthcare organizations must make as they start this process:

1.    Manage Your Vulnerabilities
90% of cyber attacks exploit an already known software, O/S or configuration vulnerability.
That means that 90% of all attacks could have been prevented with an aggressive vulnerability management program and process.

The first step to effective and efficient vulnerability management is assessment and enforcement of standard configurations. 60% of attacks enter through a vulnerable configuration. Use an automated assessment tool to scan your network and identify current configurations. Make sure it leverages NIST Standards for your configurations management. These two actions will dramatically reduce the ability for someone to exploit your configurations settings.

Next is application and O/S patching. Application and O/S vulnerabilities represent a huge area of opportunity for would be thieves to exploit. Use a policy based patch assessment tool with a strong reporting option. You should also conduct both device and application scans to understand what devices are plugged into you network as well as what applications are running and where. This visibility alone will identify potential risks that hadn’t been seen before.

2.    Protect Your Data Not Just Your Endpoint
The greatest risk to your data is not malware — it’s People — and while you should be aware of the rising risk of malicious insider threat the vast majority of data loss is really due to stupidity on the part of users (I say this in the kindest way possible).

Currently the most effective tool for the data thief is the memory stick. It’s small, easy to plug in and nowadays memory stick capacities are measured in gigabytes – large enough to store whole databases One way to address data loss is through the management and control of removable devices such as USB sticks. Safeguarding medical records requires effectively enforcing data access policies and auditing user activity with sensitive and confidential data and systems.

3.    Take a New Approach To Malware
Malware is exploding exponentially everywhere and endpoints are the likeliest entry point for malware. Traditional security approaches such as AV are falling behind as AV firms cannot keep up with the growth in malware signatures.

In the past we relied on “blacklisting” – allowing everything to flow freely – attempting to then enumerate the bad with a signature and then block it. It worked well in an environment where the number of bad things to look at was manageable.

But, we have been going about this for too long now with a backwards approach. You need to now consider adding application control or whitelisting as a new layer in the foundation for endpoint security. Whitelisting is about identifying the known good and by default not letting anything other than what’s on the whitelist from executing in the O/S kernel. It’s the most effective security layer as it prevents execution in the kernel. Whitelisting solutions are affordable, easy to implement and externally effective.

By following these three core security considerations, healthcare organizations will be ready to protect patient’s records online. Remember that most of your risk can be efficiently and effectively managed through an aggressive vulnerability management program. Get your arms around data loss by focusing on the greatest risk: Removable storage mediums and applying device and policy controls supported by technology enforcement. Add additional layers of effective security such as application control.