How to Make Info Security SustainableLooking at Big Picture, Not Just Compliance, is Vital
In the struggle to comply with changing regulatory requirements amidst an evolving technological environment, the size, complexity and wide-ranging nature of the information security challenge can be overwhelming for many healthcare providers, especially smaller organizations with limited resources.
The custodians of healthcare data have a weighty responsibility for information security on an enterprisewide scale - not only for protected health information, but also for information related to employees, company financial information, and intellectual property such as research data.
Even when these resources are applied properly, developing and improving an organization's information security posture requires time, consistency and discipline.
Rather than following the natural tendency to concentrate limited resources on the most obvious, urgent regulatory compliance needs, those responsible for information security can better serve their organizations by taking a broader, enterprisewide view of the issues. Considering the bigger picture in a disciplined, methodical manner can lay the foundation for a more sustainable, risk-based approach that assesses - and, above all, prioritizes - the full range of information security issues.
Developing a Solution
Obviously, a healthcare organization's every risk can't be mitigated to an ideal level. As British parliamentarian Nigel Lawson once observed, "To govern is to choose." In the same way, those responsible for the governance of information security must choose from numerous competing priorities and determine which risks require the most immediate application of resources.
Information security can't be addressed by focusing on a single component of the issue. In other words, information security is not a technology problem; it requires effective people, processes and technology controls. When developing a solution, it can be helpful to visualize information security at the enterprise level as a framework composed of broad governance and foundational domains, specific security domains and the tools and techniques required for implementation.
Three Governance Components
Governance consists of three components:
- Policies and procedures, required for standardization and accountability, that reflect an organization's risk tolerance by identifying what is required or permissible and what is not permissible;
- Roles and responsibilities, which reflect security ownership of an organization - in this instance, the information services and technology departments - by aligning needs and skills as necessary to achieve specific goals;
- Risk management, which holds everyone accountable by conducting regular assessments to identify gaps in implementation and control and by monitoring issue remediation over time.
The 11 Security Domains
Confidentiality, integrity and availability are the hallmarks of information security. Patient information and other sensitive information must be kept confidential, the information's accuracy and integrity must be maintained and the information must be available to those with a legitimate need for it.
Each of these considerations must be addressed across the 11 information security domains of the organization:
- Third-party risk management - establishment of a data-sharing inventory and security reviews, both as part of the vendor selection process and on an ongoing basis.
- Regulatory compliance - including compliance with HIPAA requirements, HITECH Act electronic health record meaningful use requirements, individual state privacy regulations and federal security regulations.
- Data protection - data classification, inventory, protection controls, encryption, data destruction and incident response.
- Logical security - authentication, access management through user requests and terminations, user access reviews and segregation of duties.
- Employee management - hiring practices, security training and employee policies and standards.
- Logging and monitoring - of applications, databases, servers, networks and wireless components.
- Business continuity management - consisting of a business impact assessment, business continuity plan and disaster recovery plan - and contingency plans, critical systems redundancy and backup processes.
- Security configuration management - servers, databases, mobile security, network devices and wireless access.
- Physical security - storage and security of information security documentation, records management and the data center.
- Security change management - for the system development life cycle, security integration, application risk profiling, security testing and secure coding practices.
- Threat and vulnerability management - including anti-virus standards, patch management and vulnerability management programs.
Approaching security in this fashion permits a meaningful assessment that highlights specific risk areas based on domain, thus putting the focus on regulatory concerns while also maintaining a broad view of enterprisewide considerations.
The Three Resource Types
Measurable success in information security requires effectively applying three broad categories of resources:
- People - those responsible for adhering to security control processes and using technology;
- Processes - practices in which security controls are implemented to attain consistency and accountability of use and appropriate changes to the IT environment;
- Technologies - enabling people to act on processes in an efficient, secure and controlled manner.
Even when these resources are applied properly, developing and improving an organization's information security posture requires time, consistency and discipline. The adoption of policies and procedures and the introduction of new technologies require new controls and a continuous assessment of the security posture.
An early outcome of these efforts should be a clear ranking of projects that takes into account both the severity of the risk and the resources required to address it. The goal is to identify quick-win projects along with short- and long-term projects. The work also helps to identify the lowest-priority risks, which the organization might decide to accept rather than expend its limited resources to mitigate.
Such an analysis is critical to any effective risk management strategy, particularly when there are technological, financial and operational risks. Using this approach, those responsible for information security can develop a practical road map to guide their information security risk management efforts and improve the online security position of the organization over the near, medium and long term.
By developing a practical, usable road map that addresses the fundamental governance elements of information security as well as the specific security domains in each organization, healthcare providers can efficiently identify their true information security priorities. At the same time, they will gain a better understanding of the integrated role of security in safeguarding patient information and other sensitive data.
Raj Chaudhary is a principal in risk consulting services and the security and privacy services leader at Crowe Horwath LLP, a public accounting and consulting firm. He has more than 30 years of experience developing enterprisewide security and privacy programs, executing security strategies and assessments and auditing and enhancing security practices and physical security procedures.