Some of the most common phrases that come out of information security professional mouths include: “Well, that did not work” and “The project fell apart, and I don't know what I could have done better.” The pain of not knowing what security best practices your team can/should implement can cost the company time and money. It could also end up affecting the customer and making the business liable for damages that take years to pay off. When it comes to healthcare Information security, there are tons of ways of doing business. No matter what you implement, some of the results just do not come out the way you expected. So, the question is as follows: “What are the best top practices in healthcare information security?”
Here are some answers.
Technical Perspective: Train, train and train some more. Ensuring your staff is up-to-date on the latest threats out there is a great way to make everyone “eyes and ears” for the company. Empower them with information security education to let them know they have skin in the game, as well. Domain Access: Not everyone needs domain access. In fact, it does not matter if a person has a high title or several initiations after their name. That doesn't mean they should have domain access. Furthermore, giving the key to the king/queen is even a worse idea. Now the target on their back is even bigger. BYOD: If the company is allowing BYOD, then ensure that some sort of MDM solution is in place that containerizes the session when an employee accesses PHI and/or any PII. An area to look out for in the MDM space is the disabling of developer mode, which could render null and void the services provided by an MDM tool. AV: Do not only do "security" by checkboxes. Make sure all AV installations actually work, are up-to-date, and contain the correct configurations. Change management and tracking are needed: It does not matter how small or big the company is, change management is needed. Even if it's in an Excel spreadsheet. The smaller the firm/business is, the more it will need to know to figure out where to roll back to. For bigger companies, one would hope that there is enough tracking, monitoring, and checks and balances in place that effectively make change management integrated/fully adopted.
Cultural Perspective
Remove All Ego: Time and time again, there are experts in the industry that think they know it all. But at the end of the day, you are going to have to work with others and play nice. So remove your ego, get that chip off your shoulder, and provide value to the project, organization and/or job duty. Security Domains Are There for a Reason: No matter how you label them or name them, security domains are there for a reason – adhere to them. Respect and understand it as a baseline minimum. You might not have to like it, but it is there for a reason. Be as Transparent as You Can Be: Granted, there are just some areas of information security where you can not disclose information. However, if everyone knows what everyone is doing and how they are doing it, then the business can move along a lot faster and smoother. In recent projects, I have seen staff members hoarding information in the belief that it would mean job security. That is the wrong approach. Allow your team and/or business to know the status of a project and/or the business; doing so will sow the seeds for trust and respect. Small or Big, Know your Medical Regulations, Rules and Laws: Know your line of business, and furthermore, know the law that your line of business is going to be held to. The law is the law, so know it and the regulations, rules and guidelines. When adopting some of these recommendations, please take into consideration your business and your business needs. To learn more about how Tripwire can help secure your healthcare infrastructure and patient data, click here.
About the Author: Ricoh Danielson is a U.S. Army Combat Veteran of Iraq and Afghanistan. As a digital forensic expert in cell phone forensics for high profile criminal and civil cases, Ricoh has a heavy passion for information security and digital forensic that led him to start up his firm (Fortitude Tech LLC) in the middle of law school to become Phoenix’s heavy hitting digital forensic power house. He is also a graduate of Thomas Jefferson School of Law, Colorado Tech University, and UCLA Anderson School of Management. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.