Cyber Insecurity
Aug 2, 2017 | VIA BLOG | Posted 4:31 PM by Dr. Jon Elion

The vulnerability of computer systems has been front and center in the headlines over the last few weeks.

In addition to healthcare providers that have been directly impacted, suppliers of healthcare-related services have also been tangled up with malware, which in turn has had a significant adverse impact on the hospitals of many of our colleagues.

Trying to keep up-to-date with all of the reports on various forms of malware can make one’s head spin, with technical jargon quickly clouding the issues. It’s not really important to most users and hospital administrators to understand the significance of your Master File Table, Master Boot Record, or the workings of a “killswitch.” Focus has been appropriately directed at increasing awareness about the dangers of opening emails from unknown sources and other ways to avoid infection. While that is all well and good, there are two basic steps that are being overlooked that can significantly help protect your computers and your hospital enterprise.

  • Make backup copies of your important files: One strategy that is often-quoted is “3:2:1,” which means that each original file has a total of three copies, 2 of which are “local,” and 1 of which is offsite in a remote, unconnected storage facility. Restoring data can be facilitated by using an online backup service such as iDrive, Carbonite, or BackBlaze (to name just a few). Modern online backup services make restoring even badly infected computers a very easy process, even for non-technical home users.
  • Keep up-to-date with software patches: Both of the recent large malware attacks would have been totally prevented if software patches and updates had been regularly applied (in this case, through “Windows Update”). The Information Technology (IT) department at companies and hospital enterprises can (and should) set system-wide policies that periodically install the latest updates and patches, thereby helping keep information safe.

When considering software (and especially “Software as a Service”) for your hospital, how can you help assure that the supplier is taking all reasonable steps to protect your data, confidentiality and security? To answer that, we need to look at something called Service Organization Controls (SOCs), and more specifically “SOC 2.”

A SOC 2 compliance report is the result of an audit of security processes established by the American Institute of Certified Public Accountants (AICPA). It helps to evaluate a service organization’s compliance with the five Trust Services Principles (TSPs) for Service Organization Controls, including:

  • Security: Logical and physical protection against unauthorized access
  • Confidentiality: All information designated as “confidential” is protected
  • Privacy: The collection and use of personal information conforms with the privacy notices of the Service Organization
  • Availability: The system is operating and available for use
  • Processing Integrity: Processing of information is complete, accurate, timely and authorized

SOC 2 compliance not only requires comprehensive policies and procedures related to the TSPs shown above, but also requires periodic technical audits to review hard evidence that the policies and procedures are being followed.

Hospital IT departments should ask for the SOC 2 “Management Assertion” and audit report of every vendor with whom they are doing business or with whom they planning on working. This is where, for example, you can review policies for data backup and for operating system patches and updates. And, very importantly, there should be something that indicates consideration for Business Continuity, to keep data and functionality intact in the event of network or system failures.

Can you ever really “expect the unexpected” and avoid an incident such as the ones we’ve seen in the past few weeks? Reading over each SOC 2 Management Assertion will help you see how each vendor answers that question.

View Coverage

We'd Love To Tell You More

If you’d like more information, want to schedule a one-on-one demonstration, or just want to let us know what you think, please fill out the form below and we’ll contact you as soon as possible.

referer: traffic source: current page: /coverage/cyber-insecurity/previous page:

*required fields