Best practices in applying security standards
A risk-based approach to IT security focuses efforts on the technical controls that are most appropriate, based on the risks the organization is exposed to. This approach depends on existing standards to provide flexible, scalable, and cost-effective techniques that improve healthcare organizations’ security posture over time.
With a billing vendor of the major lab companies for the entire industry at fault, the breach affects nearly every provider’s patient population, and monitoring for losses is insufficient. While that is just one event, healthcare data breaches cost the industry about $4 billion in 2019, and that number was expected to increase in 2020.1 The ever-growing volume of valuable online personal health information (PHI) creates an increasingly attractive target for hackers.
13.6% of breaches reported across all industries in Q1 2019 were specifically targeted against healthcare organizations.
67.6% of healthcare organizations that were breached during this period cannot report how many records were lost or exposed.
14.7% of all breaches involving medical records were exposed through the Internet.
Critical steps in addressing these attacks include improved network and data configurations, maintenance, and management by covered entities (CEs) and business associates (BAs). This requires that they take a risk-based approach to technical best practices for IT risk mitigation, data security, and regulatory compliance. A risk-based approach to technical controls helps organizations be more efficient and cost-effective by identifying and focusing efforts on the controls that are most appropriate, based on the risks the organization is exposed to. This approach depends on existing standards to provide flexible, scalable techniques that improve healthcare organizations’ security posture over time.
Healthcare organizations are required to protect personal health information in all forms, including electronic PHI. The HIPAA Security Rule (45 CFR 164.304) describes multiple standards that define the technology, as well as the policies and procedures for its use that protect electronic PHI and control access to it.