The cyber security of our healthcare sector is vital is we are to protect the data entrusted to medical institutions by our patients. The International Information Systems Security Certification Consortium (ISC2 ) provides one of the best certification tracks for Information Security professionals. The Certified Information Systems Security Professional (CISSP), provided by ISC2 is recognized as the gold standard of the industry. At the beginning of 2015, the governing body of ISC2 made a Domain update; the domain now includes the following themes (“CISSP® Domains,”):
Security and Risk Management
Communication and Network Security
Identity and Access Management
Security Assessment and Testing
Software Development Security
HIPAA compliance is covered by practically all of the CISSP domains. In some cases HIPAA requirements clash with the concepts of the BYOD and/or telecommuting. A summary of the HIPAA requirements and safeguards is listed below.
For telecommuting needs a healthcare company can provide a laptop, with encrypted SSD/HDD according to FIPS 140-2 standards (“Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,”), and VPN access. The unanswered question is … how the employee of the company accesses the employee’s company assigned remote share? Whether he/she uses an Internet cable, LTE modem, or a municipalities based Wi-Fi connection. By default the company’s CISO and HIPAA/Privacy officer should assume that employee’s will choose the path of least resistance, and due to this, the company should provide policies and guidelines for their employees regarding how to remotely access data which is covered under HIPAA or other industry standard regulations.
To ensure that security measures are adhered to, especially guarding against social engineering attacks, employees need extensive training to make them aware of the dangers of cyber breaches if they do not adhere to established guidelines and organizational rules and regulations. Guarding HIPPA data is important not only for the patient, but also for the success of the organization.
Learn about *ISC)2 Health Care Information Security and Privacy Practitioner (HCISPP) here.
US Department of Health & Human Services (n.d.). Summary of the HIPAA Security Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Viesturs Bambans, CISSP, CHFI, CEH, is an information security engineer focusing on cybersecurity since 2008. He earned a M.S. in Information Security & Assurance and has expertise in Digital Forensics, Forensic Readiness, E-Health, EHR, HIPAA, audit, compliance and implementation, e-Learning. A native of Latvia, Bambans lives and works in Portland, Oregon.