The Two Tales of Remote Access Security: Protection from Hackers, and Meeting Regulatory Requirements.
It’s all over the news - a new healthcare breach here, a new healthcare IT study there, that talks about how healthcare IT security needs to be a focus in 2020. In this era of COVID-19, unfortunately hackers are taking advantage of this situation and we are seeing an increase in hacking attempts and phishing scams.
As we shore up holes in our infrastructure, the savvy hackers find another way in. While most healthcare leaders say security is a priority, it often falls further down the priority list, especially in a crisis.
You don’t have to look very far to find studies that say that improving the security of your network and data should be a priority. But, where do you start?Today I am going to focus on the specific topic of securing remote access to your network.
Some recent studies say that systems access management and remote access security need to be top priorities for 2019 and 2020.
In fact, a recent report covered by Healthitsecurity.com examined the struggles Healthcare organizations have with cybersecurity preparations, saying third-party vendors accounted for more than 20% of breaches last year. Digging a little deeper, the report says,” The most common gaps among third-party vendors included risk assessment, access management, and governance.”
The ECRI study says that the top Health Technology Hazard of 2019 is that hackers can exploit remote access to systems, disrupting healthcare operations. I went into more detail about this study and topic in this blog post.
As reported by HealthcareITSecurity.com – Systems Access Management topped the list of threats in 2019. They reported that “…failing to ensure strong access control policies that revoke employee access after termination can lead to massive fines. Systems access management must be a priority in 2019 and beyond.
Another recent article in HealthcareITNews.com says that security should be a top priority for hospital CEOs. According to the article, "Security is important enough to be above everything else," said David Chou, a veteran hospital executive who is currently VP and principal analyst at Constellation Research.
These are just a few examples where the experts are saying cybersecurity, and remote access security in particular needs to be a focus now!
So, focusing on the topic of Securing Remote Access to your network, there are really two forces at play here:
- Securing your network from hackers or malware to protect ePHI
- Meeting regulatory requirements for vendor access to avoid fines
A few places to start to protect your network from hackers:
- Use multi-factor authentication – if you do nothing else, you should do this.
- Do the reaseach and understand where you have gaps in your remote access security plan
- Prioritize how your vendors and remote employees access your network (these should be similar if not the same)
- Put tools and procedures in place to block access if certain security and access criteria are not met
- Have multi-factor authentication. Yes, you already read that in #1, it's just that important to have multi-factor authentication!
Where to start to meet regulatory requirements:
- Assess if you are meeting the requirements that a valid Business Associate Agreement (BAA) is in place before allowing access to ePHI
- Assess if you are verifying that a valid BAA is in place with each remote access attempt. (The HIPAA omnibus rule says that you must check each access for a valid BAA).
Most CIOs tell me that their compliance department handles the BAA process and turns the vendor over to them to grant network access once the BAA is in place.
That manual process may work for the first access, but what about a year from now? Do you know for sure (and can you prove) that each person accessing your network has a valid BAA? Fines and penalties exist for healthcare organizations found guilty of negligence in the BAA process; especially when allowing vendors to remotely access their network.
Some questions to consider:
- How do you manage the BAA process between multiple departments? Is this a manual or automated process?
- Even if you have a process in place for when the BAA is signed, how do you manage the multiple agreements months and years later?
- Are you prepared if you are audited? Can you prove that you check for a valid BAA with each remote access attempt? And further, can you block access if the BAA is out of date?
I heard a quote recently that said, "it’s not a matter of if you will be hacked, but when." That is a scary thought. Considering the recent estimates that say approximately 56% of healthcare provider organizations have experienced a vendor or third-party breach!
It’s up to you and every healthcare IT security leaders to do everything in their power to put safeguards in place to block as many hacking attempts as possible. We are enablers of cyber-attacks when we do little or nothing to protect our valuable PHI assets.
If you want to learn more about how to secure access to your network and how to manage remote vendor (and employee) access, check out this short video Secure Remote Access to Your Network, and then contact us at firstname.lastname@example.org to talk to our experts about your remote access challenges.