Responsibility for IT controls might seem to fall squarely on the shoulders of the CIO or IT department, but all hospital employees, from the C-suite on down, are responsible for safeguarding the organization from risks and vulnerabilities.
Just like financial controls that help prevent fraud and operational controls that help ensure compliance, IT controls play a major role in strengthening a healthcare organization and providing solid brand confidence.
As the threat of cyberattacks mount for healthcare entities, it is an interesting shift in mindset that the public tends to blame the organization for loss of data when not so long ago it was the bank robber, and not the bank, who received the attention. Society tends to require a visible target for blame, and cybercriminals are not always known or visible.
Below is a listing of some of the major areas of concern (and suggestions for improvement) for IT controls in most healthcare facilities. Although these items typically are uncovered during routine IT control reviews, healthcare organization leaders are well advised to adopt cybersecurity protections that are in compliance with federal and state law. a
Software and Application List
Maintaining a listing of all critical applications is important for ensuring the organization is aware of what software is being used and what potential vulnerabilities exist from outside parties or unsupported vendors. When entities do not track approved software (or even allow employees to install non-whitelisted software without approval), the environment can be compromised quickly. Maintaining a list of software also is an important safeguard in situations where turnover or unforeseen employee issues require others to pick up job responsibilities with little or no knowledge-transfer time.
Departmental Vendor Management Programs
Responsibility for IT security can never be outsourced. It therefore should be a top priority for each department to create a solid vendor management program that can perform strict due diligence on all outside vendors having potential access to patient or proprietary information. All departments, especially IT, should apply risk assessments consistently to all individuals and third-party vendors that will have access to servers, applications, and databases. Reviewing the controls of others—through IT risk assessments of vendors and service organization control reports—will help in identifying which vendors will have the hospital’s best interest at heart.
Consistent Monitoring of Activity
Organizations should monitor activity that involves potential vulnerabilities, avoiding policies such as allowing generic account access or providing users with passwords that do not expire. Organizations also require timely reporting and actions to be able to monitor unusual or suspicious activity effectively. Among organizations suffering a data loss (from breaches or human error), the average time required to uncover the issue is an astounding 260 days. b IT departments with a separate security division tend to exemplify best practices in proper monitoring of all activity. These organizations understand the value of timely monitoring to effectively uncover potential issues or activity.
Healthcare professionals are notorious for having a distaste for passwords. It’s not uncommon to hear a physician say something like, “I am here to treat my patients, not remember a new 8-character password every 60 days.” Although physicians and nurses should be admired for their high level of skill, they are all too often prime candidates for vulnerabilities as they log into computers and software in front of patients.
With the emergence of electronic health record (EHR) systems, patients are in front of and around computers more than ever. Having and enforcing solid password parameters will lower the risk of breaches to systems and patient information. Proper length (eight or more characters), complexity (alphanumeric plus symbols), rotation (90 days), memory (last five passwords remembered), and lockouts (three failed attempts with indefinite reset time) are well-established standard policies to prevent unauthorized access. Two-factor authentication procedures are becoming more prevalent within healthcare entities because they make it harder for someone with a password (but no additional information) to breach an organization’s systems and applications.
User Accounts of Terminated Employees
The easiest self-examination of IT controls for any organization is a review of whether former employees retain access rights, even if only for a short time. No one is more upset than a recently terminated employee, and if such an employee’s access to the system is not removed on a timely basis, as a matter of policy, the healthcare entity is prime for unauthorized access. Some mitigating controls to guard against such risks include procedures such as timely notification and documentation of the access change request and periodic reviews with sign-offs on user listings by the owners or administrators of the applications or networks (known as logical access reviews).
External Penetration Testing and Internal Vulnerability Scanning
According to a 2016 Verizon report on data breach investigations, half of all exploitations of applications or servers happen between 10 and 100 days after the vulnerability is published. Organizations often do not perform these tests or scans due to a lack of understanding or concern about cost. Performing regular penetration tests on firewalls and access points can prevent potential hackers from accessing systems and databases. Although these regular scans can be expensive, the cost of data loss from breach notification requirements, not to mention the stain on the brand of the organization, can be more substantial and even fatal.
These are only a few of the IT control-related issues. Others include proper data backup and disaster recovery policies and procedures (critical to healthcare entities these days because of the growth threat of ransomware) and mobile device encryption policies (a risk that is large, and growing, due to the prevalence of laptop, tablet, and smartphone use).
Solid IT controls start with management and governance of the healthcare entity. They should be followed by everyone every day, with no exceptions. If the top executives believe something is important, the employees of that organization will follow suit every single time.
Paul M.Perry, FHFMA, CITP, CISM, CPA, is a member, Warren Averett CPAs and Advisors, Birmingham, Ala., and a member of HFMA’s Alabama Chapter.
a. “Top 10 Tips for Cybersecurity in Health Care,” HealthIT.gov.
b. Gerdeman, D., “CIOs beef up security tools in wake of 2014 data breaches,” TechTarget, Jan. 2015.