Security and Compliance in Healthcare Organizations

HIPAA compliance

Ensuring Healthy Endpoint

As a healthcare organization continues to improve treatment and patient care with new technologies, hackers look to exploit the vulnerabilities that come along with these changes to strengthen their attack.

The biggest and most confounding challenge to enforcing security and compliance in a healthcare organization lies at the endpoints. As patient data grows, there is a greater need for healthcare providers, insurance companies and healthcare clearinghouses to obtain access to these records in a globally distributed environment, while still maintaining security and compliance standards across the board, on all remote workstations.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of individually-identifiable health information. In addition, the HIPAA Security Rule specifies a series of administrative, physical and technical safeguards for covered entities to use, to ensure the confidentiality, integrity and availability of electronic protected health information. These include requiring permission to install new software agents on endpoints.

Protection of patient information from diverse threats is the core principal surrounding information security and compliance with HIPAA rules. The resulting difficulty in getting critical third-party software solutions to properly function, specifically those that are dependent upon agent technology, creates huge inefficiencies for IT operations in securing and managing healthcare endpoints.

Endpoint management is a necessity for any healthcare organization’s security arsenal. However, with evolving enterprise environments, many organizations are finding it difficult to meet their compliance objectives. Research indicates that on average 20%–30% of endpoints will fail a basic compliance check for those policies (e.g., HIPAA) that are required for safe and efficient endpoint operation. Considering that endpoints represent the most accessible access point to all data and assets on an organization’s networks, this failure represents a major vulnerability most organizations would prefer not to talk about – assuming they are even aware that the problem exists.

Unfortunately, avoiding the issue does not make it go away. These compliance breaches represent a ticking “time bomb” that virtually guarantees patient data will be compromised. After all, it doesn’t take too much connecting of the dots to understand how a risk turns into a breach if one in three organizations’ machines are not running Anti-Virus (AV), are not patched for a critical vulnerability, or are not running encryption and DLP solutions effectively.

Healthcare organizations must eliminate the vulnerabilities within their IT infrastructures. This requires solutions that provide 100% visibility and accuracy, without introducing additional risk onto each endpoint. There also needs to be a proactive approach to identifying, analyzing and remediating threats and violations to security and compliance that is easy and cost-effective to deploy and manage, and requires no change to existing systems or processes.

The bottom line is that healthcare organizations cannot be serious about HIPAA compliance without an agentless component in their IT processes and systems. Compliance cannot be achieved without 100% accurate visibility of the network at all times, and complete visibility cannot be guaranteed by relying solely on agent-based systems that can and are known to fail (typically 20%–30% of the time), especially where they are functioning on the network even though permissions to install the agent software has yet to be received and implemented.

Agent-based solutions are still required and will continue to play a leading role in the meeting of compliance and security objectives. However, the addition of agentless management to complement existing systems will guarantee 100% visibility of the internal healthcare network, so a blended environment is necessary going forward.