VARs entering medical vertical need to understand vertical security issues to protect both you and your client

 
Industry surveys say over half data solution providers are not serving health care vertical clients. That will change dramatically with the “gold rush” of the Electronic Medical Records (EMR) initiative being pushed by the Federal government with “sticks” (reduced provider payments after 2014) and “carrots” (incentive payments for providers meeting federal “meaningful use” guidelines) for healthcare providers. If you are planning to “pan for gold” in this vertical (or are already serving the industry) there are some industry regulations and security actions/services you must be aware of to protect both your healthcare client and yourself (YES—your business).
Some of the industry regulations and summary points/issues to examine:
• HIPAA—The “do good & avoid evil” regulation since 1996 regulation had no enforcement teeth but that has changed (see HITECH). You should read the sections on administrative, physical, and technical “safeguards” to get summary of controls needed. Also ensure you meet the “business associate “requirements to protect yourself and give your client “safe harbor”.
• HITECH – The federal government finally put “bite” into HIPAA by making the Human Health & Services (HHS) responsible for administrating penalties and compliance audits. Breach notification rules are now in place along with significant escalating financial & criminal penalties.
• FTC Red Flag Rules – Designed to deal with identity theft most healthcare MSPs and care providers don’t even realize this regulation applies to them. A healthcare provider is a “creditor” under the act so read published guidelines for healthcare providers carefully.
• PCI-DSS – Most MSPs are aware of this credit card processing contract (not a regulation) requirement. But in addition to assessing your healthcare provider’s compliance level(1 thru 4) for compliance requirements be sure to remember you as “business affiliate “ must attest to being compliant for affiliate requirements to provide your client safe harbor. Be sure to look at “data at rest and in transit” requirements.
• STATE BREACH LAWS – There are 46 of them and all are different. My personal favorite—the requirement to call the New Jersey state police before anyone else when reporting a breach. Remember your state attorney general does the enforcement—read “publicity to ensure getting reelected! If an MSP serves multiple states what guidance does it offer clients? Answer: select the toughest state as compliance guidelines (remembering to note any quirks for each state) for all clients to simply your operations.
Once you have a business layman’s understanding of the healthcare regulations/contracts besides the standard security best practices and services you should offer make sure you offer at least these at a minimum:
• RISK ASSESSMENT—The client needs a risk profile to prioritize actions/projects to make them compliance and reduce risk. This will also serve as a framework to develop a security program unique to each client
• ANTIVIRUS/MALWARE/ETC MANAGEMENT -- Clients need more than individual desktop AV. To ensure regulation compliance you should offer a management service which includes customizing templates to optimize AV tool for them and ensuring minimum footprint on client operations.
• BACKUP/DR – While this may seem “duh” –if your client uses SaaS EMR solution and network availability is lost both offsite and onsite backup must be considered given potential life threatening client situations. Also HIPAA & HITECH require up to 6 years data related to patients. HITECH also requires your client produce who outside of doctor’s office received any medical info on a patient if requested by patient.
• END POINT SECURITY—This is more than vulnerability scanning (although required by PCI-DSS) since physician are increasing using mobile devices to obtain patient medical info. Mobile security management is a must which includes encryption.
• SECURE AUTHENTICATION – Given the legal and criminal risks of not ensuring compliance with generally accepted security practices it is time to look at 2 factor authentication. Biometrics have come a long way in terms of cost and false error rates.
To net this out —if you are just entering this vertical look at regs and minimum client security needs before you “pan for gold” since there are financial and criminal penalties if you and/or client are found in violation. If you are one of the 44% of resellers/providers that already found “gold” in this vertical and any of this information is new -“ run