Healthcare Sector Security Analysis

Abstract

Security and privacy are paramount pillars to the healthcare industry as protected health information can reveal very sensitive information about oneself. Prior to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), controls for securing health care facilities were discretionary (HHS, 2013, para. 2). The adoption of prescriptive controls allows a reasonable baseline of security to be applied to safeguard sensitive information. The prescriptive nature of the baseline security must be flexible enough to allow organizations to adopt new technology, while also providing an adequate level of protection to the data produced by the new technology. Despite moving to the prescriptive set of control standards, 88% of all ransomware attacks occurring during the second quarter of 2016 occurred in the healthcare industry (Mulero, 2017, para. 2). While this statistic only includes three months, this is astonishingly high. To further complicate matters, a study conducted by the Ponemon Institute that included 91 healthcare organizations saw that 90% had suffered a breach from 2014-2016 (Ponemon, 2016, p. 1). The primary motivation for the healthcare suffering such attacks is the ability for a malicious actor to siphon enough information to steal entire identities (Security Scorecard, 2019, p. 2). This paper aims to discuss the role of the security officer in a major healthcare organization with regard to evaluating security posture. To provide a holistic approach to understanding the risks associated with the healthcare industry, it is important to understand the various functions performed inside the hospital and the electronic records that facilitate these departments operate effectively. Hospitals and doctor’s offices alike are also subject to many regulations to include HIPPA, Health Information Technology for Economic and Clinical Health (HITECH) Act, and Payment Card Industry standards (Murphy, 2015, p. 64). Therefore, the technical, operational, and physical controls must uniformly comply with the provisions set forth across multiple laws. While it is prudent for and organization to choose the methodology that most closely aligns with the organizations business goals, a singular methodology may not provide adequate coverage. Therefore, choosing controls across a swath of methodologies to provide adequate coverage for the organization is recommended. For the assessment of the healthcare organization, this paper will focus on leveraging the National Institute for Science and Technology (NIST) Cyber Security Framework (CSF). The Department of Health and Human Services has published a crosswalk between the HIPAA security rule and various frameworks security controls. The crosswalk demonstrates the connection between the administrative, technical, and physical safeguard standard and implementation specification in the HIPAA security rule to a relevant control mapping between Control Objectives for Information and Related Technology (COBIT), International Standards Organization 27001, International Society of Automation 62443, and NIST 800-53 (HHS, 2016, p. 2). This linkage provides a rich resource to begin creation of a risk profile management system. The strongest controls implement nine layers between detective, corrective, and preventative functions across the administrative, technical, and physical control methods (Cannon, 2016, p. 142).