For the past year, we have been working through our HITRUST CSF certification process and it has helped us super-charge our company’s policies and procedures when it comes to cybersecurity. Now that our Gemini Integration Platform has received HITRUST CSF r2 certification, we would like to share our thoughts for those we speak with each week who are just starting out their journey. 

We talk to many different types of healthcare organizations – and many are resource constrained, particularly when it comes to managing their integration infrastructure… Others are launching new technology innovations but are newcomers to the healthcare domain. If you fall in one of these categories – we thought it might be helpful to share with you our thoughts on those aspects of security that are often overlooked, especially in the context of interoperability projects. 

Remember, when it comes to keeping your environments safe, you are only as strong as your weakest link.

3 Things Your Healthcare Organization Can Do Today to Enhance Security

• Dramatically reduce risks associated with phishing. The majority of ransomware attacks on healthcare organizations that you read about have arisen from a phishing attack.  An employee has received an email that appears legit – and either downloaded a malicious file, provided login credentials to a fake website, or taken other “bait” the phishers throw at them. The best way to protect your organization from this type of threat is through ongoing education and awareness campaigns. There are free tools that allow you to do “phishing tests” for your staff.  You should do this frequently and dial up the “challenge” level as your staff gets savvier. Publish anonymized results and incorporate this topic in your recurring meetings. No staff member in your organization should be exempt from this training / awareness effort. Guaranteed there are people in your organization that think “I can’t access any PHI systems – thus what I do doesn’t matter”. This is very wrong of course. Any single individual who isn’t buying into the phishing security threat is the phisher’s new best friend. We recommend using a 3rd party solution like Knowbe4 to implement simulated phishing attacks. 

• Enable 2-Factor Authentication. There are no systems you use in your organization that should be exempt from 2-Factor authentication (MFA). Focusing specifically on interoperability use cases, when reviewing our client’s own Mirth Connect deployments, we rarely see MFA enabled. That is a big security gap. While it can take some effort, you must secure your integration engine instances with 2-Factor authentication to reduce security risks. For those organizations considering working with Zen, our Gemini Developer solution includes an integrated identity management / MFA solution so that our client’s do not have to try to figure that out on their own. That is a huge time saver. 

• Adopt a Formal Risk Management Approach Throughout your Organization. Business leaders engage in risk management informally throughout their careers. CISO’s are fully trained in all aspects of risk management. But – there is a difference between risk management being assessed and reviewed at the executive level versus embracing and operationalizing risk management throughout the entire organization. This is where you will make a big investment in time and energy to ensure the formal Risk Management Policy establishes a broad enough framework to support all departments / levels. Then you need to have an ongoing effort to train / get feedback / adjust / retrain across the entire organization. But – if you want that staff member that thinks what they do “doesn’t really matter” to the big security picture – they need to understand the concept of risk management and how it applies to the job they do every day. And it’s essential that you review risks specifically introduced as new interfaces are created or new endpoints are exposed. Most interoperability projects today are by definition interacting with the outside world. Don’t let your interface team or platform fall through the cracks in your risk management approach. 

Speaking of Policies…

Someone recently asked our President, Marilee Benson, what she felt were the first policies they should focus on in preparing for a security certification like HITRUST CSF. Here is her response:

“I admit it’s very hard just to pick a few, as all our policies are extremely important, and they all knit together to form our overall Information Security Plan. But, I think I can identify a few that are a good place to start. The Policy Management Policy, Risk Management Policy, Access Management Policy, and Change Management Policy. Arguably there are many other very important policies related to securing your organization and managing risk. However, if you do not have these four policies really well defined and fully operationalized across your organization, you will be challenged to maintain and comply with all the others on a consistent basis.”

The Policy Management Policy (you may call it something slightly different ) is essential because it sets the rules of the road for how all other policies are updated, reviewed, approved, and managed. Consider this the “Rosetta Stone” for all your other written policies. We have a designated workgroup made up of our senior leadership that is responsible for all policies, and how we manage them is outlined in our Policy Management Policy.

The Risk Management Policy outlines how you are operationalizing risk management and risk assessments throughout the organization. It defines key terms, defines your risk domains (such as Confidentiality, Availability and Integrity), creates your risk scoring system, and establishes when and how risk assessments occur throughout the organization. We talk about the importance of managing risk across the entire organization, and this policy defines how you do that.

The Change Management Policy is critical because changes and updates to systems, access to systems, interfaces and even policies / procedures changes can introduce risk across multiple risk domains. Many people use a ticketing system to operationalize change management. Consider not just limiting this to IT infrastructure changes. Using one consistent approach for implementing effective change management across the entire organization is much easier to manage and monitor long term.

We also use a cross-department change management group that meets regularly to review change requests and the associated documentation. What is working? What isn’t working? Are there gaps? Are change requests backing up and creating bottlenecks to getting work done? Are the appropriate risk assessments occurring regularly? Are change ticket “backout plans” documented consistently? Similar to Risk Management (and they are closely linked) this is a policy that must become a natural part of your workflow and needs to evolve as your organization grows and changes.

The Access Management Policy establishes the critical business rules for who can access what data and when. It should apply to any person who has access to your environment, and what level of access they should have, regardless of whether they are an employee or not. It establishes auditing policies and procedures to ensure the “access” rules are being followed, and who is viewing sensitive data. It also typically establishes password management and 2-Factor authentication business rules and procedures. It may also define rules around only accessing the minimum data necessary (HIPAA), discuss separation of duties regarding access, and how to handle any suspected security incidents, or those may be defined in other policies, such as a HIPAA Privacy and Security Policy, Incident Response Policy (etc).

Building out and maintaining a solid Information Security Plan, and associated security best practices is not just a requirement for large companies. It requires a large investment in time up front.  But if you put together a solid roadmap (with great policies and procedures), maintaining and updating those best practices is much easier. 

But the most important thing to remember is that your procedures and policies cannot be just words on paper sitting in a shared folder. They must translate to real actions performed consistently in daily work performed across your organization. 

In other words, a HITRUST CSF certification can’t just be an accessory.  It must be a lifestyle.