Online Business Systems (Online) conducts dozens of HIPAA Compliance and Security Risk Assessments* annually. One finding we see come up consistently across Clients, is the lack of a formal Information System Activity Review.
This requirement, tucked into the Security Management Process Standard of the HIPAA Security Rule reads as follows:
The purpose of information system activity reviews is to identify potential new and ongoing threats to ePHI across the enterprise. Which begs the question: What is an Information System Activity Review and, why are they important?
Performing system activity reviews is not just a HIPAA requirement. Any industry which stores, processes, or transmits sensitive consumer information is required to perform system activity reviews. These security frameworks (i.e., NIST CSF, NIST SP 800-53, ISO 27001/2, PCI-DSS, CIS Controls) require the monitoring of network activity to identify anomalous behavior; though they may use different language (i.e., security monitoring, log monitoring) to do so.
As external attacks become more sophisticated and insider attacks more frequent, an organization cannot simply rely on protective security controls. They must assume security incidents will happen and take steps to ensure that, when (not if) they occur, they will be detected.
It is nearly impossible to monitor EVERYTHING, so it is important to take a risk-based approach to activity reviews and focus on the most likely threats. By doing this, organizations can save effort and money while maximizing the effectiveness of the reviews.
Once you have a system activity review process in place, you will want to test its effectiveness; this is something our team routinely is asked to do. By evaluating what you have, we are able to identify practical ways your company can more quickly identify threats posed by both internal and external actors including ransomware, data theft, network compromise, and unauthorized access to medical records.
A recent Verizon study found almost 40% of breaches take months or years to detect. This is down from findings in previous reports largely due to increasing Ransomware infections where the bad actor lets you know you have a problem in hours or days instead of lurking in your network and stealing data for months and years.
We love to help our clients tune their information system activity reviews to identify potential bad actors before a ransom demand is ever made.
To contact Adam, David, or our RSP team, please email rsp@obsglobal.com.
* In the United States, healthcare providers, payors, clearinghouses, and Business Associates must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). In Canada, organizations must wade through a mixture of provincial and federal Privacy and Security legislations.
Information security provides the basis for trust in the healthcare industry. Online Business Systems has 20-years of experience within the healthcare industry and over 20-years of experience in the security arena. Our approach to security risk analysis goes beyond adherence to the HIPAA Security Rule. We identify realistic threats to the organization’s information and systems and present them in a manner that is meaningful and actionable to the business decision-makers.
Online is much more than an assessor. Online will walk alongside the organization to ensure that security and compliance risks are identified in a timely manner and addressed using a risk-based decision-making methodology that results in security controls that are impactful and right-sized for the organization.
David Mertz is a Principal Consultant with our Risk, Security & Privacy Practice. As an experienced compliance, data security, and risk professional, David performs Security Risk Assessments and helps Clients maximize their security monitoring operations implementations.