Health care gets a ‘D’ in cybersecurity, but no one scores high

The health care sector scored a ‘D’ grade in overall cybersecurity for 2016, but other industries didn’t fare much better, with the retail sector scoring a high ‘C,’ according to Tenable Network Security. Cybersecurity experts in most industries showed decreased confidence in their industry’s ability to assess risks and mitigate threats. New and increased challenges, including new platforms and environments and continued use of mobile devices, contributed to the decrease.

Tenable asked 700 security practitioners from seven industries and nine countries about their attitudes and beliefs toward security defenses, rather than actual effectiveness. Health care security professionals’ average confidence level in their risk assessments was only 54 percent, down 18 percent from Tenable’s 2015 report. Professional were more confident in their ability to mitigate threats through security assurances, showing an average 76 percent confident level, an increase of 1 percent from 2015. They were most comfortable in their ability to convey risks to executives and board members, measure security effectiveness, and view network risks continuously. However, a common theme across industries and countries were professionals’ concerns that the executive level did not responds effectively once given information about risks.

Tenable noted health significant health care sector weaknesses in assessing mobile devices. Confidence in risk assessment for mobile devices dropped 8 percent across all industries from 2015, and the web application security rating dropped 18 percent, the largest drop in any risk assessment category. The health care sector also showed weakness in assessing risks with respect to two new categories, developmental operations (DevOps) environments and containerization platforms. DevOps is a set of practices that emphasizes collaboration and communication between software developers and other information-technology (IT) professionals that also includes an automation component with respect to software delivery and infrastructure changes. Containerization technologies allow multiple isolated systems to run on a single control host by packing them in a “container” within their own operating environment.

Kusserow on Compliance: Guarding against mobile device breaches: Tips from an expert

Camella Boateng, an expert on HIPAA makes the point that “Most HIPAA breaches involve mobile devices. Such breaches dominate the under 500 patient breaches, which has masked the true number of such breaches is masked.  The publicity of these types of breaches is likely to change as OCR begins implementing their new policy to investigate breaches under 500.  Of particular note, the OCR has announced that in selecting organizations for audit, one factor will be whether or not they reporting minor breaches. From experience, they expect that almost any organization will have a HIPAA breach of some sort or another over time; and therefore those that report no breaches can be considered suspect.”  She offered the following checklist of tips on mobile device security and precaution.

  1. Provide management, accountability, and oversight structures for covered entities.
  2. Establish policies, protocols, processes, and procedures for mobile device use.
  3. Provide training on the bring your own device (BYOD) policy.
  4. Keep an inventory of personal mobile devices authorized to access and transmit electronic protected health information (ePHI).
  5. Use a device key, password, or other user authentication to verify user identity.
  6. Install and/or enable encryption that protects protected health information (PHI) stored on and sent by mobile devices.
  7. Install or enable firewalls and regularly update security software (such as malware).
  8. Install or activate remote wiping and/or disabling.
  9. Reinforce constantly to keep devices under personal control or under lock and key.
  10. Install radio frequency identification (RFID) tags to help locate lost or stolen mobile devices.
  11. Establish remote shutdown tools that can remotely lock lost mobile devices.
  12. Disable or do not install file-sharing applications on devices used for ePHI transmission.
  13. Establish electronic processes to ensure unauthorized parties do not destroy or alter ePHI.
  14. Conduct training on procedures for using mobile devices to access ePHI.
  15. Educate clinicians on the risks of data breaches, HIPAA violations, and fines.
  16. Delete all stored PHI before reusing or discarding a device.

After following all of the above steps, perform an outside independent security risk assessment to determine (a) if personal mobile devices are being used to exchange ePHI; (b) which devices are used on internal networks; (c) what information is accessed, received, stored, and transmitted; (d) whether proper authentication, encryption, and physical protections are in place to secure the exchange of ePHI; and (e) whether users have been properly trained on security procedures.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.