The Future of Healthcare Cybersecurity: The Best Defense is a Good Offense

March 20, 2015, Andrew Hicks, Managing Principal, Coalfire

In the last five years with the increasing digitalization of health information, healthcare security breaches have increased four-fold with the industry experiencing more breaches than any other in 2013. With a large number of potential targets and the high value of personal medical information on the black market, healthcare organizations will continue to be more appealing targets.

Data security in this particular sector is behind other industries and we’ve already seen how compliance alone didn’t keep electronic protected health information (ePHI) secure at Anthem. So how should healthcare organizations move forward and reduce the probability of a breach?

Get Proactive

Often by the time security issues land on many organizations’ radar it’s too late. In the healthcare sector especially, organizations need to take a proactive and pre-emptive approach to ePHI security. This strategy of safeguarding both the organization itself and patient data, including tactics like scanning, penetration testing and social engineering, should be considered mandatory as opposed to best practices. A major breach could have drastic implications for a healthcare organization and therefore every effort should be made ahead of time to prevent disaster.

A Quick Fix is Not a Fix

While there are many fast and inexpensive security technology solutions available to organizations of all sizes, throwing hardware and software at the problem is no longer a viable option. There’s no “set and forget” solution (and no “one and done” assessment) that can provide the comprehensive and thorough risk management program needed to properly secure data. As cybercriminals become increasingly sophisticated, so too must our methods of protection.

There is enormous pressure to increase security maturity in healthcare.  And to acquire a mature security posture, organizations must understand security and risk budgeting and learn how to gain support from the executive and board level for the investment needed to protect data. However, by investing in proper analysis of existing security protocol now, organizations will save money in the long run by identifying gaps so they can prioritize future spending.

HIPAA & HITRUST – Future Annual Requirements?

Moving forward, the industry needs to push for more government-mandated security guidelines that include required annual HIPAA and HITRUST assessments.

The HIPAA Privacy and Security Rules are comprised of three types of safeguards: administrative, physical and technical. They provide basic compliance guidelines but often experts will recommend HIPAA assessment in tandem with HITRUST certification that can provide an actionable roadmap to securing ePHI.

HITRUST (The Health Information Trust Alliance) is an organization developed by healthcare and IT professionals to help healthcare organizations protect patient information more extensively than a HIPAA assessment alone. Currently, while HIPAA is the federal mandate, HITRUST approaches security in a more holistic manner while simplifying the process. HIPAA regulations are now nearly 20 years old and can be difficult to interpret. Sole reliance on HIPAA guidelines can leave gaps in security protocol, even when all recommendations have been met.

If government mandates were to shift towards HITRUST standards, the healthcare industry as a whole could benefit from a compulsory, uniform methodology across the board that enables organizations of all sizes to become certified. In this way, the industry can focus more on patient care and less on the fear of an impending data breach.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics