Editor's Note: SANS & NH-ISAC have just released the whitepaper: The What, Where and How of Protecting Healthcare Data by authors James Tarala and Kelli K Tarala. Below is an excerpt, the full paper is available for download at: http://www.sans.org/u/3fO.
A healthcare organization is responsible for protecting a patient's most private information; their medical record. A healthcare organization also maintains the patient's financial information, as well as the organization's own intellectual property and that of its vendors and affiliates. These are among the most highly sought-after pieces of protected information for a hacker. In conventional data breaches, an individual's credit card number, bank account number or even Social Security Number can be reissued. In healthcare data breaches, an individual's medical record cannot be changed and stolen intellectual property cannot be recovered. This makes stolen healthcare data unrecoverable by its very nature. Once a healthcare organization is compromised due to a breach, public trust in that organization can be permanently tarnished.
HIPAA rules and HITECH regulations are overarching, and protecting private data may seem like a difficult task. However, the risk of data loss can be mitigated. A healthcare organization can increase its data security by following three practical security awareness steps to raise its cybersecurity hygiene. These steps require an understanding of the healthcare data's What, Where and How.
Source: SANS & NH-ISAC, White Paper: The What, Where and How of Protecting Healthcare Data. This White Paper is the first in the joint SANS-NH ISAC White Paper series on Healthcare Cybersecurity. For a complimentary copy of the complete paper, visit http://www.sans.org/u/3fO.
BIO: James Tarala (Twitter: @isaudit) is a principal consultant with Enclave Security and is based out of Venice, Florida. He is a regular speaker and senior instructor with the SANS Institute as well as a courseware author and editor for many SANS auditing and security courses. As a consultant, he has spent the past few years architecting large enterprise IT security and infrastructure architectures, specifically working with many Microsoft-based directory services, e-mail, terminal services, and wireless technologies. He has also spent a large amount of time consulting with organizations to assist them in their security management, operational practices, and regulatory compliance issues, and he often performs independent security audits and assists internal audit groups in developing their internal audit programs. James completed his undergraduate studies at Philadelphia Biblical University and his graduate work at the University of Maryland. He holds numerous professional certifications.
BIO: Kelli K Tarala (Twitter: @KelliTarala) is a principal consultant and co-owner of Enclave Security. Her career began in 1994 as a system administrator and technical editor at a pharmaceutical research organization. As a security architect and project manager, she specializes in IT audit, governance, and information assurance strategies. She is a SANS Institute courseware co-author for MGT415 A Practical Introduction to Risk Management Class and SEC566 Implementing and Auditing the Critical Security Controls - In-Depth. In her spare time, she contributes to Council on CyberSecurity Critical Security Controls project and enjoys running and kayaking.