Tuesday, September 1, 2015
Vulnerability Management – ‘Do unto yourself before others do unto you’
By: Susan Pretnar, President at KeySys Health LLC
Not a perfect translation from the law of the prophets, but a meaningful aphorism for managing electronic information system security risks. For those who really have no idea what vulnerability management means, very simply stated, it means ‘hack’ your own systems before you become the ‘hackee’.
The idea of finding and killing your own snakes makes perfect business sense in the ever expanding online and internet saturated environment that healthcare entities are operating in today. Unfortunately, the industry is only recently awakening to the realization that their networks, databases and information systems are vulnerable to attack from external malicious threats, regardless of their size or specialty.
Based on security readiness surveys and breach statistics, one could assume that practices using electronic systems really don’t value investment in infrastructure and data security. Healthcare is notorious for taking eons to change direction, but rather than paint everyone with the same brush, let’s take the position that most just don’t understand what is needed, or they’re distrustful of the advice offered by their vendors. The recommended solutions invariably cost money: penetration tests, system scans, continuous monitoring.
There are several actions that need to be accomplished to design a solid vulnerability management process for the digitized protected health information that you create, maintain, share or transmit. Although not all inclusive, here are some basic fundamentals:
a.) Identify all applications, servers, and devices that make up your IT network and operations, and identify business partners that extend your risk. Assure your software licenses and security certificates have not expired;
b.) Define your endpoints or ‘perimeter’: where is PHI data coming from, where it is going and where and how is it maintained or archived. The old, forgotten backup files are snakes that have bitten several;
c.) Determine the effectiveness of your identity management process, especially ‘privileged user‘ access to operating systems, databases, networks, etc. Review your basic authentication procedures for new users and ongoing access control;
d.) Review the standards used for your device and server configurations and the effectiveness of your patch management process;
e.) Organize your IT systems into groups (routers & hubs, servers, firewalls, applications, etc.) and determine what automated tools you have in place to monitor them.
If you contract for IT support, establish an IT Security Audit Plan with them and modify it when you change your network or introduce new technology. Include periodic ‘scanning’ of network servers and devices, reflecting the status of patches to all devices and applications, and conduct a penetration test (recommended by NIST at least once every 3 years) to satisfy HIPAA requirements. Sadly, a penetration test is costly and only a snapshot at one point in time. Do the penetration test after you are satisfied that you have built the best network you can afford, then monitor with frequent scans of your IT network and information systems to assure it stays secure.
Vulnerability management is a constant need in healthcare as with any line of business. It should be designed to assure regulatory compliance, but more importantly, to protect your business operations as well as the patient protected health information you generate continuously. There are many tools to assist the monitoring process, but don’t underestimate the obvious vulnerabilities of weak passwords and poor security training that results in human failures to recognize phishing expeditions by the bad guys.