Building Immunity for Health Care Information
The health care industry bears heavy security and compliance burdens. Health care providers are obligated by their custodial responsibilities, as well as federal statute, to preserve patient privacy against unauthorized access to protected health information (PHI). At the same time, they are under the same type of pressures as any other business to protect employee and customer information from data breach.
The need for information security has taken on much greater urgency since passage of the HITECH (Health Information Technology for Economic and Clinical Health) Act, which is part of the American Recovery and Reinvestment Act (ARRA), more commonly known as the Stimulus Bill, enacted in February 2009. The primary purpose of the HITECH Act is to convert the nation's health care records to digital formats, improving health care through the rapid transmission of medical information and ultimately saving money on operations by making health care more efficient.
Pressure to Protect Patient records
HITECH takes something of a carrot-and-stick approach to encourage the conversion of all patient information to electronic health records (EHR). The federal government offered $19.2 billion in incentives to organizations that meet its requirements. On the other hand, HITECH puts teeth into the enforcement of the Health Insurance Portability and Accountability Act (HIPAA), which has heretofore been largely unenforced, although its security and privacy rules have been in effect since 2003.
HITECH provides for penalties of up to $50,000 per violation, capped at $1.5 million per year for multiple violations of a single requirement. Moreover, in addition to actions brought by the U.S. Department of Health and Human Services, states' attorneys general can bring suit for violations within their jurisdiction. As a result of actions by Connecticut and Vermont, for example, insurance provider Health Net paid more than $300,000 in a settlement over loss of an unencrypted drive that exposed health records of 1.5 million people.
HITECH also requires data breach notification, similar to the many state data breach notification laws. This puts significant pressure on providers to avoid the costs and negative publicity of a loss of patient information. Business associates, now subject to HIPAA Security Rule requirements, must notify their covered entity partner if they are responsible for or victim of a PHI breach.
Conversion to EHR is resulting in rapid growth in digital information, and commensurate pressure to implement strong security measures to prevent data theft. The impetus for conversion to EHR is rapid and easy access to critical patient information and the ability to transmit and share that information with health information exchanges, hospitals, medical practices and business associates. Under HITECH, all recipients of EHR are now subject to the same requirements for protecting PHI.
More Than Health Information
As with most other organizations doing business on the Internet, health care organizations and their partners face information security obligations beyond HITECH and HIPAA. They are custodians of employee and client personally identifiable information (PII), financial records and, in many institutions, sensitive research data. Health care companies must also be protective of sensitive organizational data, such as business plans, whose theft could put them at a competitive disadvantage.
Most health care organizations handle credit card transactions, so they are also subject to the highly prescriptive requirements of PCI DSS.
Attackers are targeting health care institutions in growing numbers. In this environment, health care providers should assess their security programs and ensure that they have the policies, processes and supporting automated tools in place to protect patient information.
The challenges are daunting. Covered entities and business partners must provide strong security measures to risk of breach with the increasing volumes of electronic health information and the continuing requirement to protect other employee, company and client data.
Corero Network Security Solutions
Corero Network Security provides superior solutions that protect health care organizations against attacks aimed at exposing patient records and/or stealing PII, credit card data and other sensitive information.
Corero’s First Line of Defense® is an organization’s new perimeter. It stops the latest breed of cyber-attacks, including DDoS attacks, zero-day exploits, remote exploit insertions, server targeted threats and access attempts from malicious IP addresses and unwanted geo-locations, all of which easily bypass traditional network security defenses and compromise enterprise networks.
Intrusion Prevention System
Corero's Intrusion Prevention System (IPS) solutions provide continuous, comprehensive protection against external attack, leveraging unique technology that discerns between legitimate and malicious traffic, providing more accurate detection and fewer false positives than other IPS products. Corero uses stateful protocol inspection and inspection of payload data files to determine if suspect traffic is behaving correctly or represents a threat.
Corero IPS features bidirectional traffic inspection, enabling response behavior analysis, in order to stop application layer attacks and detect compromised computers communicating with their command-and-control servers.
Corero solutions provide a high level of visibility into network activity, and helps meet internal audit and regulatory compliance requirements through its Network Security Analyzer (NSA), a security information and event management tool. NSA provides robust and highly flexible logging, reporting and forensics capabilities to meet health care organizations security and compliance requirements.
Corero's IPS features a highly flexible and granular policy control, which allows security personnel to craft rules appropriate to the unique health care environment.
DDoS Defense System
The expanding and diverse web presence of health care organizations makes them vulnerable to distributed-denial-of-service (DDoS) attacks. A successful DDoS attack can cripple a health organization's web presences, cutting off essential access to patient and client services and vital information. Corero's DDoS Defense System (DDS), leveraging Corero's award-winning technology, delivers nondisruptive protection against attack against the networks and servers that support health care providers' web services. It provides maximum protection for critical IT assets, detecting and blocking malicious traffic while allowing full access to legitimate users and applications.
DDS delivers unmatched DDoS attack detection and mitigation against both the well-known network layer flooding attacks and the more insidious application layer attacks that are nearly impossible to detect without DDS patented technology. DDS delivers on-premises protection that traditional network security technologies, such as firewalls and other vendors' IPS cannot.
In concert with DDS, SecureWatch PLUS DDoS defense configuration/implementation, 24/7 monitoring and incident response services provide the most comprehensive DDoS defense available on the market.
Health care organizations can deploy Corero's IPS and DDS solutions inline in full confidence that they will protect all the information in their trust while maintaining full levels of performance and service for their constituencies, from patients to suppliers and partners. Corero appliances offer the lowest latency and highest reliability of any security products available on the market today. Corero's Core Platform, built on Tilera multicore processor architecture and CoreOS, provides real-world protection at real-world performance levels.