When it comes to managing the security of their data and business-technology systems, many healthcare enterprises focus heavily on regulatory compliance efforts, such as their HIPAA security and patient privacy mandates. This is for an excellent reason — noncompliance can lead to costly fines and the ire of regulators. While it’s likely that focusing on regulatory compliance can incrementally improve security, that shift alone won’t take the organization to the level of security maturity it needs to have to protect against today’s threats such as ransomware.
To effectively mitigate cybersecurity risks, the overall objective should be to reach a level of maturity to adequately proactively attempt to stop breaches and if breaches do occur, have the ability to quickly respond in a way that limits their impact.
This isn’t to say that HIPAA compliance is not important. The challenge is when compliance becomes the emphasis, rather than focusing on risk mitigation through adequate security. We have seen time and time again organizations dealing with breaches despite countless compliance mandates, whether HIPAA, Sarbanes-Oxley, PCI DSS, state data breach disclosure laws, and many state, industry-specific, and increasingly international data governance laws.\
Another issue that often occurs is when organizations focus more on satisfying regulators through “checking the boxes” but don’t put a true plan in place.
For example, consider incident response as it relates to HIPAA compliance. Organizations are required to put security monitoring in place and set up an incident response plan to mitigate any potential damage associated with successful attacks. This can include listing a response team, developing response playbooks, and even conducting periodic tabletop exercises. But if the security monitoring isn’t proactive and the tabletop exercises realistic to real-world incidents — it’s unlikely to do much better than satisfy regulators.
Another consideration is something as seemingly straightforward as asset inventory updates. Periodic updates, especially once a quarter or annually, are certainly not enough. Doing so is like trying to navigate unfamiliar geography using an old map. Ideally, security teams should conduct continuous asset monitoring. When an incident does occur, responders are then able to instantly understand the nature and the value of the assets and any data they manage or store. They also won’t be surprised by assets being infiltrated that they didn’t even know were being used.
The same is true when it comes to threats. In addition to advanced threat prevention, proactive detection and response is critical to finding breaches in their earlier stages and can mean the difference between a small security incident and a major security event with costly fines. When it comes to effective response, increasingly, healthcare organizations are deploying endpoint detection and response (EDR) tools, an assembly of security tools designed to respond to security incidence by in-house security teams. These tools should be integrated and provide continuous monitoring and collection of endpoint security data quickly analyzed to mount a swift and (often automated) effective response.
EDR tools also can help security teams automate some response actions, which can help alleviate pressure on security teams who are often under-staffed. Automation response actions can be things like blocking access to a malicious IP, sending an alert to the right security analyst, gathering valuable forensics data, and any other steps the organization can reasonably automate.
When it comes to effective response, increasingly, healthcare organizations are deploying endpoint detection and response (EDR) tools, an assembly of security tools designed to respond to security incidence by in-house security teams. These tools should be integrated and provide continuous monitoring and collection of endpoint security data quickly analyzed to mount a swift and (often automated) effective response.
The challenge with EDR tools is that they require knowledgeable in-house security experts to run. Without that in-house expertise, which many healthcare organizations lack, they won’t get the value and protection they otherwise could.
This is why more organizations are turning to managed detection and response (MDR), where a managed security services provider delivers the EDR tools, team, and processes needed to deliver EDR as a service. The provider augments in-house security teams with capabilities that internal teams have difficulty providing on their own.
Whether an organization selects to run its EDR program or partner with an MDR provider doesn’t matter. What matters is — and this is true for all security investments — is that the focus isn’t on just satisfying a regulatory checkbox or an auditor — but is designed, established, and implemented in a way that mitigates risk and reduces an attacker’s chances of success.
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!