3 Security Maxims that Executives Need to Know to Protect Electronic Health Information

By Joshua Kissee, Ph.D. and Mark Lynd, CISSP, ISSAP & ISSMP

“Chains Required,” flashed on the road sign for the exit. As the truck exited the highway, it soon became apparent that the snow on the road would be too much. Yet, our protagonist was in a hurry and proceeded down the road, only, you guessed it, to get stuck. A phone call and an hour later, a friend with a Jeep came to help. A chain was latched to the trucks hitch and the great pull began.  The Jeep did its best to unjam the truck, but it would not budge from the snow. Solution? The Jeep pulled harder and harder. At last, the moment came when the truck started to shift just a little and their hopes were raised, when suddenly, the truck hitch snapped off and the unbroken chain fell to the ground.

Did you think the chain would snap? They have before, proving that a chain is no stronger than its weakest link. Yet in this case, the chain was stronger than what the hitch on our troubled truck could take. A very bad day to be stuck, with a worse truck, and still in need of a solution.

As healthcare leaders, you spend a significant amount of time thinking about innovation, growth, efficient operations, patient care, risk, and a host of other cares. You have enabled strong investments and have spent countless hours thinking about how to make your organization better. Then come the snowy, slippery days, where unexpected things can happen, like our fabled truck hitch breaking instead of the chain. Sometimes we have little choice in driving down the snowy road. When the day comes, having a handful of powerful maxims will make the day a little smoother, which later occurred when a licensed tow truck came to save the day and bring some sunshine to the story.

The hitch comes off in healthcare when cyber attacks compromise electronic protected health information (ePHI), especially in a HIPAA-covered entity. Exposure of these records, as many of you know, can result in civil, financial, and even criminal penalties. When determining penalties in an audit following a bad day in your healthcare organization, the Health and Human Services – Office of Civil Rights (OCR) will determine how well your security practices were implemented using a minimum look back at the previous 12 months in deciding how much it will cost your organization.

The current debate centers around what to consider as “recognized security practices.” On April 6, 2022, the OCR released a call for input to determine these practices. Section 13412 of the HITECH Act requires OCR to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates when determining potential fines, audit results, or other remedies for resolving potential HIPAA violations. The OCR goal? “To do everything in your power to safeguard patient data.”

While the final determination in defining “recognized security practices” may not be seen for some time, you can get started data with these 3 maxims.

1 –Don’t overlook endpoint devices – Leverage Unified Endpoint Management

Just as difficult as attempting to manage what you don’t measure, is operating technology with your organizations data stored on it without utilizing an endpoint management solution. A great deal of time is spent on external threat vectors and specific attacks from outside your organization, such as ransomware. Rightfully so, as these risks exist. While its important to protect externally, we must not overlook internal device management.

Endpoint security protection provides visibility into all connected endpoints. Network security tools are often centered on stopping a specific threat and are placed throughout the network. Whereas endpoint security tools are installed on the endpoint device.  Think about all those laptops, desktops, tablets used by Clinicians, medical imaging devices, mobile care units, telehealth consoles, and the list goes on. Endpoint devices sprawl throughout an organization and it only takes one unmanaged, unpatched device to become the weak link in the chain that snaps before the hitch comes off. Move away from using a variety of tools with a specific functionality, such as one tool for security patches, another for antivirus management, or one for software deployment. Protect your endpoints.

2 –Access Control is Critical – Standardize Identity Management

Too many devices, too many systems, too many passwords. Keeping up with managing authorized access, which is a core requirement of protecting ePHI, is nearly impossible with local accounts. Just last week, your budding new telehealth team that is going to do great things purchased a software application to manage patient visits remotely. Out of the box, the software can be configured using “local accounts” that are an easy way to get started without doing the hard work of using your organizations single sign-on, common ID solution.

The challenge with local accounts is that while they can be configured securely, the doctors will have to remember yet another password to use the software. In addition to physician frustration, your ability to deploy standard access control policies becomes more difficult with every additional system using local accounts. A better approach is to adopt an identity and access management (“IAM”) platform integrated with your access control solution, invest in IT staff to manage and configure solutions for all your systems, and be glad on the snowy day when someone asks you how actively manage access control throughout the organization.

3 – Visibility for Audit Logging is Critical – Put on New Glasses with Security Log Auditing and Analysis

Audit controls are needed to record and examine access and other activity in information systems that contain ePHI. This means visibility into numerous logging events, detecting anomalies in activity, and tracking file level access for who accessed what and when. In the previous two maxims, it is suggested that you should centralized management of endpoints and identity, in this case, use all of the tools that are needed and invest in IT staff or contracting services to monitor.

Why? With audit logging, when the bad day comes, you now have a much better ability to show your resilience in audit logging in the event of a bad day with OCR to reduce your penalty and finding out what actually happened is now easier. If only the protagonist had seen the small cracks on the hitch near the welds, they might have chosen not to allow the chain to ever be connected in the first place. To be really good at this, ask your IT leader what tools they need or have in place to automate data protection. Discover how and if they detect insider threats and ransomware. Ask them “are you receiving alerts when someone appears to be preparing to exfiltrate (take from one place to another) data, or would you not know until after it was done?”. It is better to ask the hard questions now, then to be disappointed or at risk later.

Final Thoughts

Don’t be overwhelmed or stressed. Chances are, your IT leaders are doing some of these in some form, but there is always a valid reason to re-assess where an organization is at and conduct a periodic risk assessment to identify the areas for improvement. Pick one area that is important to your organization and ask the question to get the conversation started and begin to strategize what investments in people, process, technology, or policy are needed. Doing so will put you and your organization in a better position on the day that you are stuck and in need of a tow.


Joshua Kissee Bio

Joshua Kissee, PhD, is the director of information technology and assistant chief information officer for Texas A&M Health Information Technology, a unit of the Division of Information Technology at Texas A&M. In his role, Kissee oversees the management and delivery of critical Texas A&M Health research, education and clinical systems across Medicine, Pharmacy, Dentistry, Nursing, and Public Health.

Kissee holds a Bachelor of Science in information systems from Arkansas State University, a Master of Education in adult education from the University of Arkansas – Fayetteville, and a Doctor of Philosophy in higher education administration from Texas A&M University. Kissee has 21 years of IT experience across numerous technology specializations. His interest and expertise center around IT governance, strategic management, security and compliance of regulated data, the innovative application of cloud technologies, and the discipline of strategic investment to drive both rapid and incremental growth for organizations through the use of information technology.

Mark Lynd Bio

Mark Lynd currently serves as the Head of Digital Business and as a member of the executive leadership team for Netsync, a large technology value-added reseller. With more than 23 years of technology and cybersecurity experience as an entrepreneur and executive, he was an Ernst & Young’s “Entrepreneur of Year – Southwest Region” Finalist, presented the Doak Walker Award on ESPN’s CFB Awards Show, ranked the #1 Global Security Thought leader in 2022 by Thinkers360 and named one of the top global cybersecurity experts and speakers by Onalytica.

He continues to be an in-demand thought leader and featured speaker on topics including cybersecurity, artificial intelligence, cloud, diversity, STEM and veteran affairs for Oracle, IBM Watson, Cisco, HP, SailPoint, AT&T, Intel, and other organizations. Mark has been featured in the WSJ, Information Week, eWeek, CRN, CSO, etc…He is a military veteran that served honorably in the US Army’s 3rd Ranger Battalion & 82d Airborne.


Hot Topics

Related Articles