[BreachExchange] Achieving Compliance in the Ever-Mobile Healthcare Industry

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jul 12 19:09:27 EDT 2017


http://www.cio.com/article/3207724/mobile/achieving-
compliance-in-the-ever-mobile-healthcare-industry.html

Not only are cloud-delivered, software-defined network solutions
progressing the healthcare industry by introducing network mobility to
mobile clinics, ambulatory applications, and traveling doctors, but these
network solutions are also improving the security of patients’ private
information.

Leaders in the healthcare field recognize that these evolving network
technologies are necessary for ensuring and affording compliance.
Compliance challenges include keeping medical and financial data accessible
yet secure and making the most of the limited resources in the face of
potentially expensive solutions. Healthcare organizations must be proactive
in their designs to ensure compliance, rather than being reactive after the
fact.

BRING MOBILITY TO HEALTHCARE & REMAIN HIPAA & PCI COMPLIANT

PRIVACY & DATA SECURITY

Software-defined WAN solutions provide the level of privacy and data
security required by the Health Insurance Portability and Accountability
Act (HIPAA). Mobile workers stay connected to the network via flexible,
highly available SD-WAN, meaning they no longer need to store patient
medical records on devices such as laptops, which present significant
security risks if lost or stolen. Instead, healthcare organizations can
store patient records in the cloud or back at the private data center,
thereby allowing access and transmission for better care, but not actual
possession of patient medical information whenever a mobile care provider
needs it.

The primary focus of HIPAA is to ensure the privacy and security of medical
information while making it easier to transfer from provider to provider in
a secure way. Protecting patient records is critical, as the records have
become an increasingly valuable target over time. In fact, Reuters
reportedthat “your medical information is worth 10 times more than your
credit card number on the black market.”

A recent Forbes article stated, “in 2016, 450 breaches occurred, affecting
27 million patient records. Of those, 120 incidents resulted from outside
hacking, while 200 - over 65 percent more - came from insider
actions.”Medical information is so valuable because healthcare records
don’t change, they are accurate for a lifetime. The uses of this data are
also wide reaching and lucrative to the bad actors stealing the
information. Uses include identity theft, false medical claims and drug
purchases.

The software-defined WAN solutions protect private information in
healthcare organizations that struggle to apply the correct security
standards in environments such as mobile healthcare, small clinics, or in
small, independent physician’s offices. Medical professionals who operate
and work at a mobile blood bank, for example, frequently set up at a
different site every day.  Software-defined WAN enables them to connect to
a network in different locations, securely transmit health data remotely to
the datacenter, and move away from storing personal health information on
laptops and other mobile devices that could be breached, lost, or stolen.

Cloud-delivered, software-defined network solutions combine strong
end-to-end encryption, auto-PKI, and machine authentication with a fully
cloaked private address space and micro‑segmentation capabilities, while
offering the security of a private network over the public Internet.

>From a hardware standpoint, routing solutions can make it possible to
create separate, parallel networks and keep data subject to HIPAA
compliance on a completely different network from, for example, the network
that employees use to access their email. This air-gapped separation helps
mitigate the possibility that a hacker could gain access to patient health
records by breaching a weakly secured or risky application.

Overall, these solutions allow medical professionals, such as those working
in the mobile blood bank, to function as needed while still gathering,
storing, and transmitting medical information in a way that remains secure,
regardless of their physical location.

FINANCIAL PROTECTION

While HIPAA Compliance is focused primarily on healthcare organizations,
Payment Card Industry (PCI) Compliance standards must be met across all
industries. Essentially, any company or organization that accepts credit
card transactions must meet and follow strict guidelines around security
and data protection.

Healthcare organizations must manage PCI requirements in ways that support
and work with HIPAA Compliance measures. Fortunately, the same solutions
that enable HIPAA Compliance also help organizations meet PCI Compliance
requirements.

A care provider who visits a patient at home, for example, can process any
necessary payments on the spot through the same secure laptop and network
connection being used to access and update the patient’s medical record.
Also, patients making payments at a clinic, doctor’s office, or even
emergency department can rest assured that their financial transaction and
data is kept secure throughout the entire payment process.

Also, ensuring your healthcare organization is both HIPAA and PCI compliant
also provides financial protection by eliminating the costly fines, fees,
legal penalties, and other expenses that may result from compliance
violations.

BIG SUPPORT FOR SMALLER CLINICS

Given the complexity of HIPAA and PCI requirements, it’s no surprise that
even the biggest healthcare organizations struggle with compliance. For
smaller clinics, medical offices, and providers with limited resources,
these compliance challenges can seem even more overwhelming.

Instead of presenting a challenge, however, software-defined networking
technology provides a cost-effective solution.  Healthcare organizations
using software-defined networking technology can deploy a VPN that allows a
therapist with an individual practice to ensure a secure financial
transaction at the end of a patient’s session. Additionally, the therapist
can securely store and share patient records with other providers — such as
psychologists, hospitals, and emergency responders — while keeping
communications private and secure.

As it becomes increasingly expensive for small-scale practitioners to take
on the risk of being noncompliant, network solutions that simplify the
building and management of network infrastructure can mitigate risk and
present a secure, cost-effective, reliable solution for HIPAA’s and PCI’s
complex requirements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170712/3b851de1/attachment.html>


More information about the BreachExchange mailing list