What you don’t know can hurt you and your customers/patients
Unaware, unauthorized and unsafe – that’s “Shadow IT” in a nutshell. The proliferation within companies of apps and hardware that bypasses official approval from IT has become so common, some professional analysts suggest just embracing it and servicing whatever technology employees want. Maybe that’s an option for companies that aren’t responsible by law to safeguard patient records and other protected health information. But for healthcare IT companies that serve providers, payers and others in the healthcare landscape, security will always be the first concern. They are a common access point to patient records – and cyber thieves know it. Healthcare IT vendors simply can’t afford to have the kind of unmanaged and unsecured applications and devices that these criminals depend on for a gateway into valuable protected health information.
It turns out both healthcare organizations and IT vendors can benefit from the same solution—cloud managed security services. Reputable cloud vendors can provide a broad range of such services, from IT asset inventory to log file monitoring to configuration management. Before delving into these services in more detail, let’s first take a look at why healthcare IT vendors so often are in the dark about system activity – and how this puts protected health information at risk.
IT’s endless project list
Most IT departments are working through an unending list of tasks, each considered the “highest priority” by those in need. Many times, employees choose not to wait for IT assistance and instead seek out software, hardware or services on their own, including various web-based services. While they may feel like they’re being efficient, the reality is they frequently overlook the security and regulatory requirements of the healthcare environment – including HIPAA-mandated safeguards for protected health information. Even worse than a stiff fine in the event of a breach, these shadow IT projects expose patients to the stress of what could be a lifelong battle to reclaim their stolen medical identity.
Out of the shadows, into the cloud
Healthcare IT vendors should take a multi-pronged approach to the shadow IT problem, starting with company-wide education on the serious risks employees are taking both with the company’s reputation and the patient data it’s tasked with protecting. In parallel to this effort, a comprehensive security risk assessment should take place that accounts for every application, system, device and piece of equipment that could serve as a cybercriminal bridge to protected health information. While taking inventory of all these assets may seem like a daunting project, it can be successfully done with the help of a cloud managed services vendor with extensive experience in the healthcare industry. Indeed, a healthcare-specific vendor will know what to look for and where, and can also perform penetration tests on each asset to determine its risk level.
After this step, then what? How can healthcare IT vendors make sure shadow IT won’t return? An increasingly number are deciding to simply migrate their entire IT infrastructure to the cloud, managed by the same experienced vendor. From there, it’s a matter of picking and choosing which centralized security services are needed. Configuration management, for example, is a useful service in the realm of change management – that is, whenever an organization brings new devices, apps and systems on board. Configuration management makes sure, among other items, that vendor-supplied credentials are changed to unique passwords. This is of paramount importance; breaches have been traced back to hackers using an app or device’s vendor-default credentials (which are readily available on the black market).
Another valuable service is managed log monitoring and management that delivers 24×7 security monitoring of log data and immediately identifies potential security and compliance issues. Paired with managed intrusion prevention and threat-resolution services, it offers the around-the-clock monitoring needed to protect data that is otherwise continuously at risk.
Working with an experienced managed services partner that understands the unique challenges and security risks involved with healthcare IT can remove the problems caused when an organization lacks awareness of what’s happening with their IT infrastructure. It’s a simple and, more importantly, effective way to transform the stress of system unawareness into confidence and peace of mind that all systems and IT activities are accounted for – and protected.
Written By: Matt Ferrari, Co-Founder & Former CTO, ClearDATA
Originally published on March 21, 2016 by HIT Leaders and News.