No one wants to get hacked. Even in the most benign of cases, it still means information that many would rather keep quiet is out, loose, in some unauthorized person's hands. In the worst case, the information that's leaked can ruin credit ratings, reputations, even lives outright. A recent report from Health Data Management, meanwhile, took a closer look at the issue, and brought in three experts in health information technology security to provide insight on how to prevent hackings from taking place to begin with, asking the same one key question: what is the most important thing healthcare organizations should be doing but aren't, to drop overall hacking risk?
First came word from Howard Burde of his eponymous firm, Howard Burde Health Law. Burde noted that risk assessment was the key to hacking protection, and suggested that annual assessment should be the minimum, and more frequent assessment was welcome. Burde also suggested using a third-party security expert to prevent bias and investment in the current environment. The third party has no “skin in the game,” so to speak, and will therefore point out risks without concern for his future career.
Then a report from tw-Security's Tom Walsh focused on patch management. Hackers, Walsh noted, were constantly looking for an easy way to get inside a system, and unpatched systems represented one of the biggest potential liabilities a system could face. While most organizations were relying on vendors to provide patches, said vendors were often engaging in extensive testing before releasing such patches. Since patches could also cause operational issues with currently existing software, Walsh further noted, that meant vendors weren't in a hurry to offer patches that could mean future sales losses.
Finally, taking the most well-rounded approach was David Holtzman from CynergisTek, who advised that there really was no “one single thing” healthcare organizations should do, but aren't doing, to achieve IT security. Holtzman suggested not only regular risk assessment as Burde did, but also espoused a balanced approach to security in general. Don't focus solely on perimeter protection, with antivirus programs and firewalls, but also focus on internal protection, using encryption to make any stolen data largely worthless.
In the end, there are a variety of approaches to take to protect against a hacking, and while these were geared toward healthcare operations, the points noted have value for those outside of the healthcare field as well. Anyone who has data which needs protecting—from medical data to customer lists to credit card transaction information—can take a cue from these suggestions. Carry out more tests, and have impartial third parties run same to prevent “sacred cow” effects from creeping in. Keep the patches up to date and run all the available updates offered. Take a wider, more holistic approach to security and don't just focus on one area lest some other area prove weak enough to walk in; no one puts up a steel door on a house with a broken window.
Data security is always important no matter what the field, and with a few simple points in mind, most any system—healthcare or otherwise—can be kept a lot safer in the end. Hacking risk can never be completely eliminated, but there's always a way to make a system safer.
Edited by Rory J. Thompson