The Two Tales of Remote Access Security

The Two Tales of Remote Access Security: Protection from Hackers, and Meeting Regulatory Requirements.

It’s all over the news - a new healthcare breach here, a new healthcare IT study there, that talks about how healthcare IT security needs to be a focus in 2019. Yet, we are already seeing more breaches in 2019 than ever before.

This could be due in part to the fact that as we shore up holes in our infrastructure, the savvy hackers find another way in. Or, it could be that while most healthcare leaders say security is a priority, it often falls further down the priority list.

You don’t have to look very far to find studies that say that improving the security of your network and data should be a priority. But, where do you start?

Some recent studies say that systems access management and remote access security need to be top priorities for 2019.

In fact, a recent report covered by Healthitsecurity.com examined the struggles Healthcare organizations have with cybersecurity preparations, saying third-party vendors accounted for more than 20% of breaches last year. Digging a little deeper, the report says,” The most common gaps among third-party vendors included risk assessment, access management, and governance.”

The ECRI study says that the top Health Technology Hazard of 2019 is that hackers can exploit remote access to systems, disrupting healthcare operations. I went into more detail about this study and topic in this blog post.

As reported by HealthcareITSecurity.com – Systems Access Management topped the list of threats in 2019. They reported that “…failing to ensure strong access control policies that revoke employee access after termination can lead to massive fines. Systems access management must be a priority in 2019 and beyond.

Another recent article in HealthcareITNews.com says that security should be a top priority for hospital CEOs. According to the article, "Security is important enough to be above everything else," said David Chou, a veteran hospital executive who is currently VP and principal analyst at Constellation Research.

These are just a few examples where the experts are saying cybersecurity, and remote access security in particular needs to be a focus now!

So, focusing on the topic of Securing Remote Access to your network, there are really two forces at play here:

1. Securing your network from hackers or malware to protect ePHI
2. Meeting regulatory requirements to avoid fines

A few places to start to protect your network from hackers: 

1. Have multi-factor authentication – if you do nothing else, you should do this.
2. Understand where you have gaps in your remote access security plan
3. Prioritize how your vendors and remote employees access your network (these should be similar if not the same)
4. Put tools and procedures in place to block access if certain security and access criteria are not met
5. Have multi-factor authentication. Yes, you already read that in #1, it's just that important to have multi-factor authentication!

Where to start to meet regulatory requirements:

1. Are you meeting the requirements that a valid Business Associate Agreement (BAA) be in place before allowing access to ePHI?
2. Are you verifying a valid BAA is in place with each remote access? (The HIPAA omnibus rule says that you must check each access for a valid BAA).

Most CIOs tell me that their compliance department handles the BAA process and turns the vendor over to them to grant network access once the BAA is in place. That manual process may work for the first access, but what about a year from now? Do you know for sure (and can you prove) that each person accessing your network has a valid BAA? Fines and penalties exist for healthcare organizations found guilty of negligence in the BAA process; especially when allowing vendors to remotely access their network.

Some additional questions to consider:

• How do you manage the BAA management process between multiple departments? Is this an automated or manual process?
• Even if you have a process in place for when the BAA is signed, how do you manage the multiple agreements months and years later?
• What will happen when you are audited? Can you prove that you check for a valid BAA with each remote access attempt? And further, can you block access if the BAA is out of date?

I heard a quote recently that said, "it’s not a matter of if you will be hacked, but when." That is a scary thought. Considering the recent estimates that say approximately 56% of healthcare provider organizations have experienced a vendor or third-party breach! It’s up to healthcare IT security leaders to do everything in their power to put safeguards in place as a deterrence. We are enablers of cyber-attacks when we do little or nothing to protect our valuable assets, PHI.

If you want to learn more about how to secure access to your network and how to manage vendor (and remote employee) access, I would be happy to meet with you. Click here to request a meeting.