Hospital security strategists have talked about partitioning networks as a means to protect sensitive data from breaches and attacks for years now.
But in a world where we’re always focused on the perimeter, partitioning off sensitive data remains a best practice, but is it as useful as before smart firewalls and monitoring?
In today’s dynamic environment—where your network’s perimeter is constantly evolving to withstand greater and greater attacks—having a backup to keep sensitive data secure is more important than ever. Note: many hospitals that we audit or assess ARE spending good money on state of the art equipment. What we see is that equipment usually is NOT configured properly, rendering it practically useless as a result. Experts recommend ransomware assessments—security assessments that look at your hospital’s vulnerability from a standpoint of what cybercriminals are doing today to breach your network boundary and attack your devices and files.
With a combination of changing requirements for hospital security, evolving threats and points of attack AND new devices connecting to your network—leaving more risks and more burden on you to make sure your files are secure—it’s more important today than it has been previously to ensure your protected data is secure. It’s also more complex and challenging to device strategies to secure that data.
Otherwise, you may risk ending up with a variety of strategies that fail to work together towards a goal of making data accessible, secure and private. What you need is a way to make data easy to work with, but secure from people that shouldn’t see it (hint… this IS part of Meaningful Use Stage 3!).
Having grown up in Michigan, I like to reference Henry Ford in situations like this.
“Nothing is particularly hard if you divide it into small steps”. The nature of keeping data secure and accessible is out there (we’ve actually been able to help hospitals figure out the friendliest way to secure their systems and data, while conforming security to their internal processes and procedures).
It’s all about heading Ford’s advice—breaking up our security problem into digestible, understandable pieces. To start wrapping your head around how to go about keeping your hospitals PHI secure, here are three digestible steps to help work toward that goal:
Define your objectives—lay out a clear roadmap as to what you hope to achieve through partitioning your network. What hospital and security issues are driving the need for partitioning your network? What practices do you have in place to define where PHI or other sensitive data is located? What data is critical to your hospital’s operations? How are you currently leveraging technology to avoid threats to sensitive data or data critical to operations?
Identify, classify and prioritize your objectives—work closely with team leads that directly interact with specific types of sensitive information. Classify your sensitive data by business impact, risk to the organization if leaked or lost, or any regulatory concerns associated with how that data is used or transmitted.
Gain visibility to support and augment your strategy—create visibility into specifically how your data is being accessed and used. Make sure your t’s are all crossed. Monitor, analyze and report on any concerns that arise.
Bottom line: be systematic in how you approach securing your sensitive data. If you’ve been taking the mindset of “We’ve bought a state-of-the-art firewall. We’re safe”, you might want to reconsider.
If you buy the most expensive X-ray machine on the market, will your radiologist be able to better diagnose bone fractures? Perhaps. But doesn’t also rely on the skill, devotion and attentiveness of the specific radiologist. If he or she was too busy to really look at an image or was never trained in diagnosing specific problem, would that expensive machine really help your patient?
If you gave that fancy X-ray machine to a technician just starting his or her training, would having the best equipment really help him or her figure out if or what the problem is?
Technology is good and useful—don’t get me wrong. But understanding how to use it is even more powerful.
What we see in hospitals today is that you are buying some of the most high tech and fancy security technology, but often it’s left misconfigured or left to its own devises. When I pick up my red phone—the phone on my desk that only rings when someone has a major problem—nine times out of ten, they had the technology and they thought they had their security covered. BUT they actually were leaving their data exposed (data breaches) or their networks under-protected (misconfigurations and partitioning).
Can your hospital risk a breach or attack? Contact Us TODAY for a free ransomware vulnerability assessment.
