Health and Human Services (HHS) released 6 imperatives for healthcare providers and ancillary enterprises to follow when dealing with sensitive documentation. For the most part, the concepts laid out by HHS are for the good of the industry as a whole. They encourage sharing of threats, increasing funding towards security awareness, increasing funding towards security infrastructure, and general guidance on improving a data security posture industry-wide.
It is refreshing to see such a stance from HHS. After the recent WannaCry attacks, there is increased scrutiny around medical cybersecurity needs, and the recommendations put forth by HHS will begin a transition to a network that can mitigate these incidents before such a sweeping attack can take place.
There is additional concern about the theft of data, in particular patient data, which is rife with personally identifiable information (PII). This sensitive information must be protected with every available measure, as with HIPPAA violations, any data-loss is unacceptable.
The HHS report stops short of recommending solutions for individual practices, but there is certainly room to extrapolate a product or group of products that would satisfy the 6 imperatives laid out. First of all, a coherent plan must be designed and implemented throughout the organization. A CISO cannot simply piecemeal a data security plan together one product at a time, but rather should take a top-down look at how the organization operates, identify strengths and weaknesses of the existing plan, and take action holistically rather than applying bandaids in one-off fixes. Planning for success in mitigating cyber threats is no different than planning for success in other endeavors. In this case, an ounce of prevention is worth considerably more than a pound of cure.