Innovation and compliance in the healthcare industry
The use of big data to assist providers with patient care decisions, 3D printed skin for burn victims and enabling patients’ instant access to their medical records are just some examples of amazing technology advances transforming the healthcare industry. However, all of these technologies pose a potential risk to patient privacy and Protected Health Information (PHI), and along with this risk comes regulation that all U.S. based healthcare organizations must follow, including the Health Insurance Portability and Accountability Act (HIPAA). The specific implementation of appropriate HIPAA security safeguards for healthcare organizations to achieve compliance is called the Security Rule. With the ever-growing list of HIPAA compliance rules, organizations are constantly challenged on their way of thinking when it comes to endpoint management.
With the rise of mobile workforces, especially among users in healthcare organizations, it is a challenge to accurately track all endpoint devices on the network. Devices are constantly moving around within the network, off network, at home, at coffee shops, or on VPN. This highly volatile environment is difficult to track, and the current tools in the enterprise do not gather data quickly enough nor provide a high level of confidence that the data is accurate. In fact, KlasResearch found in a study of 600+ healthcare organizations that the top medical-device-security struggle is a lack of asset and inventory visibility due to insufficient tools and the large number of devices that must be secured1. Without an accurate and up-to-date asset list, it is nearly impossible to perform a proper risk analysis of an environment, patch the devices to mitigate vulnerabilities and configure them appropriately against standards.
Evaluating vulnerabilities and risks in your environment
The HIPAA Security Rule requires healthcare organizations to evaluate vulnerabilities and risks in their environments and to implement policies and procedures to address them. Too many organizations do not know what patches are missing, how vulnerable they are and what configurations are applied to which endpoints. This poses a huge risk as it leaves endpoints open to PHI exposure from a security incident or breach. The reality of today’s endpoint management systems is many of them just simply collect data too slowly, cannot take action quickly enough, or aren’t working as intended anymore. With zero-day vulnerabilities being released and exploited on average 22 days after found2, organizations are often required to break traditional monthly patch cycles or vulnerability assessment and move quickly. This dilemma is exacerbated by out-of-date tools that do not scale adequately in large environments and take too long to actually perform the patching or vulnerability scanning needed. An example of this was in 2017 when many hospitals globally were affected by the EternalBlue exploit and WannaCry ransomware due to unpatched systems3. This caused hospitals to suffer downtimes, affected patient safety and many hospitals had to turn away patients. The effects of ransomware could have been avoided had organizations only known the real-time state of their endpoints—giving them the ability to immediately take action on the findings at speed and scale.
Here are three recommended actions you can take today to help you manage HIPAA compliance using Tanium:
- Gain visibility into 100% of your devices. With Tanium Discover, you can run continuous enterprise-wide scans multiple times a day to find all devices and bring the endpoints under control. Once under control, Tanium Asset unlocks all of the data from your devices around software, hardware and user details. This provides immediate confidence by knowing the details of devices that are exposed to PHI.
- Know right away about the patch and vulnerability status on all of your devices. With Tanium Comply, you can see the current state of all vulnerabilities. Tanium Patch then sends OS patches to those systems in minutes to mitigate the vulnerabilities. Tanium Deploy sends third-party software patches just as quickly to all vulnerable software like Adobe, Java, Chrome and Firefox.
- Know the configuration state of all endpoints to be able to track the Security Rule safeguards everywhere. Tanium Comply provides immediate visibility into all configuration states and tracks your endpoint security configuration over time.
To help you better navigate HIPAA Security Rules, have a look at our new datasheet, ‘How Your Organization Can Manage HIPAA Compliance with Tanium’. It’s free to download anytime.
1 “How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP)” https://klasresearch.com/report/how-aligned-are-provider-organizations-with-the-health-industry-cybersecurity-practices-hicp-guidelines/1587.
2 “Zero Days, Thousands of Nights: Finding #5” https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf.
3 “Cyber-attack on the NHS – Parliament.uk.” https://publications.parliament.uk/pa/cm201719/cmselect/cmpubacc/787/787.pdf.