The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to keep sensitive patient data safe. It’s security rules have been published since 2003, and yet, nearly 35% of the record-setting number of reported data breaches in 2016 happened in the healthcare industry.
It is no secret that security healthcare data is becoming more of a challenge and as the Health and Human Services Office for Civil Rights commits to proactive HIPAA audits in 2017 and beyond, it’s becoming more critical to ensure that you are collecting the security information you need, both to provide the best possible security and also to validate your compliance status.
Why is Security in Healthcare So Challenging?
Whether it’s a large hospital with well-staffed technical team, or a smaller organization with a single IT person, there seems to be one prevailing mindset—“focus on patients and keep systems running” rather than “maximize security.”
One of the unique challenges with healthcare and hospitals in particular, is the sheer volume and type of data that needs to be collected to support compliance and overall security. Providers are also becoming more and more connected, with little vulnerability mitigation in sight.
Even in the case of a small organizations, there are so many nuanced angles to consider. Many different sub-entities all have different requirements from a networking operations standpoint:
- Varied use of electronic health records impacts traffic volume
- External data collection in some departments
- Consumers and employees require bandwidth for personal use
- Some departments have zero connectivity outside of a single room and require fewer IT resources.
Fluctuating operating requirements across departments give network admins plenty to worry about without trying to maximize security efforts. In large organizations, performing security monitoring of large volumes of network traffic becomes time consuming, complex and expensive.
Up until last year there hasn’t been much of a threat of compliance auditing from Health and Human Services (HHS). There weren’t any repercussions for lackluster cybersecurity other than fines for a data breach - if one occurred. They have now said that they will continue to do proactive auditing of organizations on an ongoing basis. This means anyone could be audited at any time and they should all expect it to happen at some point.
Now that HIPAA audits are a real possibility, organizations of all sizes have to take control of data sprawl within their organizations and keep track of who has access to PHI and monitor its use.
How Do You Get the Data You Need?
Keeping systems up and running is literally the difference between life and death in the healthcare industry. But as hospital IT departments focus on performance and availability, security still needs to be top of mind. The complexities of networks needs in healthcare all add to the challenge of collecting the data you need to get visibility and support compliance. A few of the key data points that need to be collected are:
- Logs….lots and lots of logs.
- Network traffic to analyze. Sounds simple enough, but there are a lot of packets on even the smallest network
- Threat intelligence data – usually from vendors, partners or organizations that publish this
- Context data – why did Bill from accounting just log into his computer when he is on vacation this week?
Logs and events are essential from every critical component in your environment and in many cases, systems you would consider non-critical, such as a receptionist workstation. Logs are a permanent record of something very simple that happened to a device. On a firewall, they will tell you what sessions were established, who has logged into the device and who has made changes to it. In directory services, logs will tell you when new users were created, accounts disabled, administrative privileges granted and much much more. All essential data when talking about security and compliance.
Analyzing network traffic sounds simple enough until you think about how many packets are flying around on every device and where they might be going to or coming from. The biggest bang for your buck is always going to be to monitor your Internet ingress/egress traffic, but even that poses challenges that need to be thought about.
- How many physical interfaces are in your firewall that are passing traffic?
- Multiple internal segments, servers, DMZ, more?
- Do you have redundant firewalls that are cabled to multiple switches?
- You need to monitor each link, to ensure that you are still capturing data when they fail over
- How are you analyzing network traffic – multiple tools that need to receive a copy of traffic?
- Most switches only support 1 or 2 mirror ports
- How much traffic is there? Intelligent IDS takes a great deal of resources (CPU) to process packets, can you handle it all?
- How much guest traffic to you have?
- Think about how many users might be in a single hospital using Guest Wireless to browse Facebook. That is a lot of traffic that doesn’t need to be analyzed.
Evaluating Your Options
To be able to get the data you need and do something meaningful with it, you need to arm yourself with the right tools to do it and resources to manage them. If you need help in this arena, give us a call, for a free consultation or discussion on the best security options. Not ready for that step? Here a few pointers to get started:
To handle the log collection analysis and meet your compliance requirements, you need to get a Security Event and Information Management (SIEM) tool. There are several out there that work well (Kiwi will not work for this), but the most important thing with any SIEM is to get a handle on what data you want to collect, what is the volume and how you want to analyze it. This will help you find the right tool and size it properly to handle the data you want to collect. Also know how long you have to keep the data – it adds up quick and can be expensive to store. Keep in mind that all log data is not created equal and some has no security or compliance value. If you want to collect all of your server error events and non-security operational logs, send them to an ELK stack. That will be far cheaper.
Network analysis requires its own set of tools as well. In most cases we are talking about feeding data to a dedicated network Intrusion Detection System (IDS), full packet capture tool or something else that is network aware. Mirror or monitor ports on switches can sometimes suffice for getting data to these tools, but the answers to the question above all play a big role. Typically, you are looking at needing something like a network tap and/or packet broker. These allow you to physically get in the middle of multiple network links, aggregate them into a single appliance and send just the packets you want out to multiple network appliance.
Need to TAP multiple fiber links and send data to a 1Gb copper interface? Have 4Gb of network traffic and can only monitor 1Gb with your IDS? Want to monitor only traffic between your user community and a couple critical servers? No problem; throw all the data at a packet broker and filter out what you need, so that you only get the traffic you care about and your tools can handle it.
For more info on this check out Garland Technology’s network TAPs and packet broker technology—for visibility into every bit, byte, and packet® on our clients’ networks.
To learn more about an MSSP approach that focuses on the healthcare industry, simplifies security and adheres to HIPAA compliance, contact my team today.