Healthcare Information Security Case Study
Amy is a new CSO – elevated there after a breach.
She’s responsible for several rehabilitation facilities and a growing mobile practice.
Information Security Concern
Amy and her team developed a list of four critical issues they needed to address quickly:
- Demonstrating security/compliance with a number of different standards (e.g., BITS, ISO 27002,PCI) to satisfy third-party agreements with their partners and internal requirements as well.
- Protecting patient information for an increasingly mobile workforce, all equipped with mobile computing devices.
- Ensuring that their move to a new Electronic Medical Records system was done in manner that would address HIPAA and HITECH requirements.
- “Cleaning up” their policies, standards, and procedures: then updating them for their new eHR, new technologies like tablet computers, and new services offered.
Information Security Approach
Pivot Point Security worked with Amy and her team to analyze various options, and helped them come up with the right combination of activities to meet their specific requirements.
Amy and her team decided to:
Conduct a Gap Assessment to get a measure of security and compliance challenges. Use the BITS Shared Assessment(which is essentially ISO 27002) because one of their contracts specifically referenced it. Map the controls to other standards that were important to her organization (PCI, HIPAA) so that all of their compliance requirements were addressed with a single control assessment.
Extend the Gap Assessment to look at the new EHR before moving it into operation. In order to ensure that the actual application was secure, conduct Vulnerability Assessments against the Web Application and the underlying database. Based on the results of the Vulnerability Assessment, extend the project to include a limited Application Penetration Test to demonstrate problems to the system integrator and EMR vendor.
Perform a “mini” Risk Assessment relating to mobile computing, leveraging Secure Data Flow Diagrams to understand howePHI transits their systems, the processes that act on it, and the controls that confidentiality and integrity of the data rely on. The approach made it simple to identify gaps and make control improvements to close them.
Develop a prioritized remediation plan across all of the findings to ensure security and compliance are addressed in a holistic way.
We continue to work with Amy, acting as “on-call” SMEs (Subject Matter Experts) as required while she and her team execute on the remediation plan, including supporting and validating Information Security Management System (ISMS) documentation. Still to execute:
- Setting up a Vulnerability Assessment program to reduce risk between annual assessments
- Better leveraging their Security Event Management program to minimize the chance of an ePHI data breach
- Considering migrating to either ISO-27001 or HITRUST in the longer term
You might say that their information security prognosis is excellent!