Security

3 Security Assessments All Health IT Teams Should Know

Hire an outside party for a cybersecurity assessment to reveal key vulnerabilities and strengthen defenses.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Healthcare organizations invest significant human and financial resources in cybersecurity. And just like their counterparts in other industries, health IT leaders know their jobs involve highly sensitive data that, if compromised, could jeopardize staff and customer privacy.

But clinical organizations face the added burden of knowing any cybersecurity failures could affect the physical safety — and even the lives — of patients.

This heightened risk requires intense scrutiny. There’s simply no margin for error.

This is why healthcare leaders often turn to external organizations to better understand their current risk environment and identify opportunities for improvement. These independent assessments can identify issues that might have gone unnoticed.

Doing so doesn’t imply your teams aren’t up to the task. Simply providing a fresh set of eyes can often identify previously undetected issues.

CDW’s latest Cybersecurity Insight Report recommends three types of cybersecurity assessments organizations can pursue to protect their networks, applications and operating protocols.

Let’s take a look at each of these assessments and the value they may provide.

1. Network Assessments to Reconfigure and Update Systems

Healthcare networks are complex, connecting many provider locations and enterprise systems. They also tend to expand quickly as organizations acquire new practices and connect those networks with their own.

Such rapid-fire expansion can lead to network environments with many diverse technologies that may not be fully understood by the central networking team. It’s a recipe for disaster as network components go unpatched, become misconfigured or simply fail in a manner that jeopardizes security.

Unless teams are paying careful attention, these security issues may create an easy target for an attacker seeking to gain access to a provider’s network.

Network security assessments ferret out these issues and bring them to the attention of cybersecurity professionals. The review begins with automated scanning tools that identify all active devices on a network and probe them for vulnerabilities. Scanners may detect outdated operating systems and applications, missing patches, nonsecure configurations, default accounts and other security issues that might tempt a hacker.

Then, the assessor produces a ranked list of vulnerabilities, along with remediation instructions designed to help cybersecurity teams prioritize their work and quickly repair the most significant security issues.

Skilled network security assessors also provide interpretation of these reports specific to their clients’ business context, allowing them to identify false positives and adjust priorities based upon the criticality and sensitivity of affected systems.

2. Application Assessments to Safeguard Your Software

Software is the engine that powers healthcare. From electronic medical records and patient billing systems to diagnostic image processing and prescription management, the platforms manage lifesaving processes and information.

With millions of lines of code and integrations that tie components together, this software is also quite complicated. That complexity leads to a heightened potential for mistakes that can affect system security.

A small undetected error in a software package, for instance, could create an authentication weakness that gives an attacker access to unauthorized information; or, a SQL injection vulnerability might inadvertently provide full access to a back-end database, allowing an attacker to bypass other security controls.

Application assessments use a variety of tools and techniques to probe software for potential issues. Although a network assessment may detect previously known vulnerabilities in applications, a detailed application assessment can uncover novel problems that would exceed the capabilities of a network check.

This test is also essential for custom applications created by in-house developers, as potential issues with those applications are far more likely to go undetected. Conducting application assessments requires specialized expertise and a nuanced approach, making it critical that organizations retain the services of a skilled application security assessor.

3. Advisory Assessments for a High-Level View of a Security Program

Network and application assessments conduct deep dives into technical security issues and identify specific security vulnerabilities that require remediation. They’re the equivalent of first aid for an organization’s network and application environment, and these grassroots-level assessments offer an excellent look at individual technology components.

But they can’t provide a big-picture view of an organization’s cybersecurity status. That’s where advisory assessments enter the picture. These provide strategic-level reviews of an organization’s cybersecurity program and can examine many different issues.

Strategic security advisors may examine an organization’s security strategy against industry standards and best practices, identifying gaps that might pose unnecessary risk. Advisory assessments can also dive into compliance issues by examining an organization’s adherence to the Payment Card Industry Data Security Standard, HIPAA, and emerging state, federal and international privacy laws.

These assessments provide healthcare executives, technology leaders and executive boards with peace of mind that those entrusted with safeguarding information are effectively managing risks facing the organization in regard to confidentiality, integrity and availability.

Technology leaders should consider a mix of assessment options to provide a holistic view of their security landscape. Drawing from each of these assessment types allows leadership to ensure they are covering all major control requirements and are implementing and managing controls in an effective manner.

Using independent providers to conduct these reviews provides added confidence that an organization’s safety measures are compliant with regulations and consistent with industry best practices, so care teams are effectively positioned to do critical work.

masterzphotois/Getty Images