Analyst Perspective: Healthcare Compliance And Active Directory
Recently, I had the chance to chat with Tod Ferran, IT Security Auditor, CISSP and QSA at SecurityMetrics, regarding the state of HIPAA and PCI compliance. SecurityMetrics employs 400 people and performs risk analyses for companies ranging from 1-2 practitioners to thousands of employees. They’ve worked on over one million projects centered around HIPAA, PCI, and Business Associate compliance. Services include risk analysis and management plans specifically for compliance, data security consulting and testing, and training. Some of their larger health care customers include the Utah Health Information Network and the Children’s Hospital of Norfolk, VA.
SecurityMetrics has seen an increased focus on security in the healthcare and retail markets following publicized data breaches at Anthem, Target and Home Depot. Much of the news is around credit card PCI breaches, but the Washington Post recently reported that there have been 944 incidents affecting personal health information (PHI) from about 30.1 million people since federal reporting requirements began in 2009. This does not account for the 80 million affected by the Anthem breach.
According to Ferran, the security implications within healthcare are much more severe than the retail sector given the amount of personal data available, including social security numbers, birthdates, addresses and medical histories. To further illustrate this point, a recent study cites the direct costs associated with the breach of healthcare records is $359 per record as opposed to $201 per record for other industries in the US.
PHI breaches can also have a significant impact on a healthcare provider’s reputation and future revenue. A recent TransUnion Healthcare survey indicated 73% of consumers ages 18-34 would likely switch healthcare providers if their current provider experienced a data breach. To make matters worse, many insurance companies are not covering these liabilities if providers are found negligent in complying with federal HIPAA requirements. Despite the consequences, during a 2011 random audit performed by the Department of Health and Human Services (HHS), 98% of healthcare providers audited for the HIPAA Security Rule had at least one negative finding. With HHS fines starting at 1.5 million dollars per violation (max of 7.5 million total), many healthcare providers are left figuring out what to do first.
Clearly, risk avoidance is one reason providers are taking more stringent security measures to become compliant. Others include:
- Meaningful Use incentives
- Remediation following an audit or breach
Due to the complicated nature of HIPAA compliance, which combines process, policy and technology controls, healthcare providers typically seek professional advice. For SecurityMetrics, HIPAA compliance involves a thorough risk analysis that can be performed in 3-4 hours for a small practice and take up to a full week of onsite auditors for larger organizations with multiple autonomous groups and clinics. Following the analysis, Ferran’s team produces a report called a Risk Management Plan, which serves as a heat map, identifying all vulnerabilities and ranking them in order of risk. Based on these experiences and industry data, most data breaches occur due to the following issues surrounding user management and policy:
- Unapplied system updates
- Improperly assigned admin privileges
- Lack of application access management
The good news is that many of these common user and policy issues can be fulfilled through proper implementation of Microsoft Active Directory (AD). In fact, Ferran cited that despite alternative Linux-based user management solutions, it is very rare for him to come across a HIPAA compliant environment that is not using AD to manage users. The exception has been for small practices with less than 6 end users which can be managed individually as part of a workgroup despite the manual processes involved.
However, AD deployments within larger, distributed healthcare organizations become overly complex and costly when looking at it through a traditional domain and networking management lens. Whether you’re using an on-premise or cloud-based Electronic Medical Record (EMR) and other Protected Health Information (PHI) systems, being able to leverage AD to manage and control users and their devices—both inside and outside the office—is critical to achieving compliance.
Pertino helps organizations with their compliance challenges by enabling them to seamlessly extend AD services to remote offices and users. Cradlepoint with ADConnect lets remote users securely access PHI-related files and applications from anywhere while their devices remain constantly connected to the AD domain. As a result, AD policies, permissions, software updates, and password resets are pushed to remote users and devices in real-time, as smoothly as if the user was in the office.
Ready to give Pertino a try? Sign up for a 30-day free trial here.