Security: A Checklist for Being Prepared
If we have learned anything over the years of working with healthcare providers (65% of our customers are either providers or Business Associates) we have leasrned that IT Security is paramount. Almost exclusively every fine is a result of a breach of IT security that was (and is) preventable - or at a minimum can be mitigated.
We know that hackers are always moving one step ahead, so the entire IT Security industry is always playing catch-up. It is similar to thieves, if they want to get in they will. You can't stop someone who is determined, as they are working tirelessly to find a way in - and with the pervasiveness of technology criminals have billions of targets globally instead of a few targets locally. So, we are all targets on any device we carry that is ever connected to the public internet - and that is now simply a fact.
So, the purpose of this short post is for you to consider if you are prepared. Take a few moments and look at each of these with your leadership team, your executives and your board - or whatever is equivalent in your organization. Evaluate yourself against these questions, and then speak with your IT team or outsourced partner and develop a plan for how you will address each area. Remember, what auditors (especially regulators) are looking for isn't usually perfection but that a business is taking it seriously, consistently evaluating risk, addressing risks with a plan and then making consistent progress towards the goals.
IT Policies: Every organization should take a policy driven approach to addressing IT. Policies define the "Ground Rules" and establish the playbook by which IT will be managed, used, what is acceptable, etc.
- Do you have basic IT policies and procedures around Acceptable Use, Email Use, Backups, Facility Security, Software Patch Management and User Access and Access Termination?
- Do you have industry specific IT policies, such as those that are required by the HIPAA Security rule as defined by the HITECH act? Here is a good checklist from the HIPAA Journal
Security Software: There is a basic set of tools that every business should run to ensure they are protecting their critical IT assets.
- Do you have updated antivirus and anti-malware software on ALL of your end points? End points are any device that is connected to your network that can run AV software such as a PC, tablet, smartphone.
- Do you have antivirus/anti-malware software that can scan incoming and outgoing connections and stop known threats?
- Do you have intrusion prevention and detection systems that are scanning all inbound and outbound traffic for anomalies and known vulnerabilities, and then blocking and/or alerting about these threats?
- Do you have web/internet content filtering systems in place, at the network and device layer, that is protecting all endpoints from accessing sites that are known to carry malware, viruses and other security vulnerabilities?
- Do you have regular patch management for your critical software from operating systems on servers and workstations, known security issues such as Adobe and Java and for your mission critical business applications and the underlying technology such as databases?
Training and Awareness:
- Have you trained all employees on general privacy and IT security relating to ePHI, ePII, etc?
- Do you have an onboarding process that you consistently follow that includes privacy and security training for all new hires?
- Do employees know what to do in the event of a suspected security incident, such as contracting a virus, malware or Ransomware?
- Do you perform ongoing privacy and security awareness training for your staff at least semi-annually?
- Do you have a means of requiring, tracking and evaluating retention for employee training regarding these topics?
Backup and Disaster Recovery:
- Do you have a disaster recovery and business resumption plan?
- Do you have satisfactory recovery time and point (RTO and RPO) objectives?
- Have you tested your plan at least annually, documented the test, identified weaknesses and remediation plans?
- Do you have an individual, and a team, in charge of administering your DR/BC plan?
- Have you communicated with your entire staff that you have a plan, what the plan is, who to communicate with in the event of a disaster, etc? Basically, have you trained your staff?
- Does your plan include how you will communicate with your staff, patients, community, etc?
- Does your backup strategy include all of your data at rest and in-transit being encrypted
Identity and Access Management:
- Do you have separate logins for all employees, contractors and 3rd party providers?
- Is everyone ONLY given access to the information and systems they need to do their job?
- Do you review users, identity, logins and security settings on a regular basis, at least quarterly?
- Do you require passwords change at least every 90 days?
- Do you require the use of long and/or complex passwords or passphrases?
- Do you employ any type of multi-factor authentication for access to critical systems?