Kurt Mueffelmann

IT Matters - Access control strategies to secure health care data

September 06, 2015
Cyber security threats, and the need to incorporate data access controls into personal and enterprise devices, plague industry worldwide. Community Health Systems, The Home Depot, JP Morgan, Sony and many others have fallen victim to sophisticated attacks that compromise sensitive information. While retail, finance and every industry in between are forced to rethink their approach to security, perhaps health care violations hit most intimately. Health care attacks go beyond just financial impact and the problem is getting worse. Late last year, Gizmodo reported on a study that found hospital hacks are skyrocketing because “hospitals are super easy to hack.” Securing access — at all touch points — to personal health information remains a challenge for health care IT. Whether it’s the precision health movement, managed care, supply chain management, or transitioning to electronic health records, providers can’t seem to find the right solution to secure data and restore patient confidence.

From drug and device makers, to hospitals and providers, to patients and families, the health care supply chain is demanding unique security approaches that disrupt traditional models of network access control, to better mitigate threats.These challenges are quite evident when addressing Health Insurance Portability and Accountability Act (HIPAA) compliance. Headline-making breaches of protected health information tell tales of astronomical numbers of medical records being accessed without permission. Besides Community Health Systems’ loss of 4.5 million patient records, Adventist Health System/Sunbelt, Bon Secours, the South Carolina Department of Health/Human Services and Anthem have also experienced major breaches. In each case, exploiting PHI was relatively easy. Collaboration across the entire value chain can alleviate much of PHI’s risk of exploitation and ensure HIPAA compliance.

Health care payor and provider compliance and risk managers are tasked with ensuring that information stays safe and is handled appropriately. How do they establish, manage and maintain an efficient access management strategy? The first step is to implement health care data policies and compliance strategies. Once you’ve specified the PHI and policies needed to cover it — as well as any other type of sensitive and or/confidential content from structured to unstructured data throughout the organization — dynamic, identity-driven security and compliance solutions provide an answer for protection.

A Belt and Suspenders Approach to Securing PHI
When handling PHI, we suggest a belt and suspenders approach to eliminating risk. First and foremost, you need to be able to collaborate on content with PHI, but you need to do so securely. Following are six steps that can be taken to ensure organizations maintain a proactive, layered and preventive risk approach.

1. Auditing– Automated, constant information scans against policy checkpoints, and corporate policies and documents, enable organizations to assess the levels of sensitive information present and identify compliance issues. It’s also important to look at both data at rest and in motion to capture any problems in real time.

2. Reporting – With standard and customized reports, compliance and privacy officers gain real-time insight into the status of an operating environment, can identify teams/departments where issues are recurring, and measure progress against compliance objectives over time. Reporting also calls red flags to attention, empowering developers and QA teams with the agility to target and fix issues.

3. Classifying – Identify sensitive content, at rest or in motion, and dynamically classify the content to identify it as having a certain level of risk.

4. Restricting – Established business rules should determine the classification of a document, as well as access to it by an individual and/or group, even if a wider audience has access to its physical location. Instituting file level permissions allows administrators to better handle multiple users. Managing file permissions is easier if they are based on the metadata values added at the time of classification.

5. Encrypting – In addition to securing a document based on its classification, further secure highly sensitive content such as PHI by encrypting it, ensuring that only approved audiences inside or outside of the use environment can access it. In fact, the U.S. Department of Health and Human Services (HHS) dictates as part of the HIPAA Security rule that encryption must be used to protect data at rest and in motion.

6. Tracking – The entire life cycle of every document should be tracked, so a compliance or regulatory officer can see if and when a document has been read, emailed or printed, and by whom. Recording every stop on the document’s journey is critical in the event of a breach or regulatory audit.

About the author: Kurt Mueffelmann is the president and CEO of Cryptzone. He has 20+ years of experience in the software industry, and has led HiSoftware (acquiredby Cryptzone in September 2014) to steady growth since 2006 with a portfolio of industry- recognized, award-winning products.