Information security is an aspect of business that requires good, actionable feedback on what’s working and what’s not. Typically provided by security management tools, security intelligence is the foundation of an effective information security program. Without this intelligence, network/security admins, managers, and executives are unable to make good decisions nor truly say that they are properly managing their risks. Given the risks and liabilities of doing business today, arguably the most important aspect of security intelligence is knowing that you’re adhering to the various industry and government regulations such as the Health Insurance Portability and Accountability Act (HIPAA).
If you’re a business working in or around the healthcare industry, you likely have to comply with the HIPAA Security Rule from 2005 as well as the more recent HIPAA updates such as the HITECH Act and the Omnibus Rule updates. The HIPAA requirements are pretty explicit in what’s required for the protection of protected health information (PHI). What’s not so obvious is how HIPAA covered entities, business associates and their subcontractors are supposed to implement the various controls. There’s an indisputable reality of information security that’s at work here: you cannot secure what you don’t acknowledge. In other words, you cannot keep threats – both known and unknown – from exploiting PHI-related security vulnerabilities unless and until you acknowledge the very thing you’re trying to protect. Many people aren’t sure what PHI they deal with. They’re not sure how it comes into the organization. They’re not sure how it’s processed or where it’s stored. They’re not even sure where it ends up at the end of its lifecycle.
Security intelligence basics: knowing what to prioritize
In order to understand what PHI you have, how it’s currently at risk, and what’s necessary to keep it under wraps, you have to have good security intelligence. For example, let’s look at the audit logs related to PHI accesses. Whether a user is reading, creating, modifying, or deleting PHI, audit logs provide insight into both successful and denied accesses. They can also provide insight into usage patterns and additional analytics that can help IT and security teams determine what’s working with security and what needs to be done to make PHI more resilient to attacks and unauthorized usage. This resulting information is what makes up “security intelligence”. This information can be used both in a standalone fashion as well as integrate in with other security analytics tools such as security incident and event monitoring.
Many businesses in the healthcare industry have little to no insight into both what’s happening in their environments nor what the bigger picture looks like in terms of information risks and levels of compliance. Far too many people struggle with silos of PHI strewn across the network. These silos are often split out by departments, business workflows, or systems – and there’s no real insight into the security posture of any given system. The complexities associated with managing multiple, diverse environments work against the very essence of what you’re trying – and need – to accomplish with security and HIPAA compliance.
Rather than continuing down the path of complexity and lack of information, focus instead on streamlining areas that you can not only get security intelligence from but also areas that you can apply security intelligence to in order to help minimize information risks. Actionable information taken from audit logs for both on-premises and cloud-based systems can improve your compliance and audit reporting. Better yet, this intelligence can improve security while, at the same time, make your job easier. Anything you can do to provide good security insight and reduce the complexities associated with ongoing security management will do wonders for your HIPAA compliance initiatives.
About Kevin Beaver
Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over 28 years of experience in the industry, Kevin specializes in performing independent security assessments to help his clients uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at through his website at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.