Enabling the Promise of Secure Health

With an unsustainable growth rate that consumes 18% of the U.S. gross domestic product, the healthcare industry is at a “tipping point” for fundamental change. Technology will be the enabler for the next generation of care. However, healthcare faces unique challenges because it is a highly complex and dispersed industry with a vast and fragmented ecosystem. Its diverse professional and patient population requires the ability to share mission-critical health data quickly, accurately and securely.

The next generation healthcare retains the priorities of patient safety and quality of service. However, while delivering care, providers must also protect the integrity of patient records, ensure the constant availability of life-saving technologies, and maintain systems that support critical functions in their facilities. Any disruption in healthcare information systems can have severe consequences, including patient safety and loss of revenue

Based on the rising breaches we see in the healthcare segment, healthcare organizations with poorly defined or incomplete security programs may find themselves facing large lists of audit findings and security gaps.


Security is not just about technology and simply throwing money at the problem. Without a clearly defined strategy it will deplete the security budgets, without significantly improving the overall security posture.

Security Strategy must help ensure that the enterprise investment in security is properly sized to known threats and business risk tolerance – e.g. not over or under-engineered.  In addition, a Programmatic approach to security Governance  has been shown to effectively integrate typically distinct or disjoint compliance activities, often resulting in a more cost effective and efficient Governance and Compliance program and framework.

So where should organizations focus their security investments?

1. Application Security:

The healthcare industry significantly depends on automation and technological advances that require use of software. Healthcare applications have been integrated into almost every aspect of patient care, from scheduling to monitoring life-saving devices. However, the primary focus when developing this technology is generally functionality, not security. Application testing should combine both automated and manual methods to probe for known vulnerabilities and undiscovered exposures. Specific techniques will vary based on mobile platform, purpose of the application(s), coding practices and quality of the application(s), and the unique deployment environment.

Activity to be performed

  • Minimize risk within applications through multi-layer application code reviews, database configuration reviews, and reviews of both thick clients and web applications. This assessment is typically a holistic and prioritized approach to testing applications including mobile applications which reduces your overall risks and associated remediation costs.

2. Vulnerability Testing

 Availability of healthcare applications and systems can be significantly impacted by malware, propagated through a missing security patch or an error in configuration. Additionally, system and application vulnerabilities may significantly increase risks of unauthorized access to patient or otherwise sensitive data.

Activity to be performed

  • Perform  Internal Vulnerability Assessment combined with expert manual testing

3. Compliance with regulatory requirements

Conducting risk assessments has been part of the security industry best practices for several years, and is a required control within multiple security and audit frameworks. Recent regulatory changes have made it clear that risk assessments are also required for organizations affected by HIPAA / HITECH laws, and are required for achieving Meaningful Use objectives that have been defined as part of ARRA

Activity to be performed

  • Conduct annual risk assessment using a programmatic risk management framework and embrace yet to embrace risk assessment in an organized and consistent fashion. An example of risk management framework is the ISO 27005  Risk management framework for Healthcare

4. Securing healthcare data on mobile devices

Recently, ONC’s Office of the Chief Privacy Officer (OCPO), collaboration with the HHS Office for Civil Rights (OCR), launched a Privacy & Security Mobile Device project. The project goal is to better secure and protect health information on mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule – Remote Use Guidance, the project is designed to identify privacy and security best practices for devices that are used outside healthcare facilities or not directly under IT department control.

To enable effective and secure information sharing, healthcare organizations require a clear, consistent ability to identify sensitive information and determine proper handling. This is achieved by  developing a mobile device management security strategy. It is important to use a well thought out security strategy rather than just plain technology to meet your security needs. Strategy involves people, process and technology to provide a holistic security framework for your organization

Activity to be performed

  • Develop and adopt a mobility security strategy that works for your organization’s goals. Organizations need to comprehensively assess their approach to security on mobile devices, and leverage well-tested methodologies to examine how they plan to move forward, how mobility will be a part of that strategic direction and how security should be considered and integrated to support the business.

Cyber security is no longer just about protecting assets. It’s about enabling organizations to take full advantage of the vast opportunities that the ecosystem of cyberspace now offers for business, government and virtually every aspect of our society.

What are some of the 2012 security initiatives that you are working on? We would love to hear from you.
Bindu Sundaresan Strategic Security Solutions Lead AT&T About Bindu