We all know IT compliance doesn’t equal healthcare data security — believe it or not, even
Target passed a PCI compliance audit just prior to its infamous breach. With the Ponemon
Institute finding that nearly 90% of healthcare entities fell victim to data breaches in the last two years, it’s clear that compliance initiatives like HIPAA and PCI are not enough to keep attackers at bay.

The healthcare sector is at the forefront of leveraging IT solutions to better engage patients and improve outcomes via initiatives like electronic medical records, mobile technologies and connected medical devices. To truly keep patient data safe, healthcare organizations must shift their focus from relying solely on a culture of compliance to building a secure infrastructure that aligns medical record integrity and secure data access with business strategy.

Ensuring secure and accurate patient data not only helps providers improve the quality of treatment, it also results in better patient trust and engagement. What’s more, it reduces the likelihood of a breach, which ultimately reduces costs over time.

Compliance-Only Focus Creates Gaps In Security

Unfortunately, healthcare organizations that focus solely on compliance are by definition only doing the bare minimum when it comes to information security. For example, HIPAA requires:

Regular review of information system activity, such as audit logs, access reports and security incident tracking reports. While that may seem comprehensive on the surface, the standard does not define what regular means (daily, monthly, yearly?), and fails to specify which logs must be reviewed and how long they must be retained. Can organizations that manually review a handful of logs on a monthly basis possibly be as secure as those who implement security tools to automatically correlate all critical system logs, identify anomalies and alert on potential security events in real time?

Limiting each employee’s access to only the information systems required to do their job. While this is a good goal, the rule fails to specify or even mention the importance of implementing role-based access. Can organizations that assign access based on a point in time (once a year) be as secure as those who use automated processes to stay in lock step with how business needs evolve?

Periodic testing to ensure compliance. Still, HIPAA sets no standard for the type of testing, frequency or what to test. True security requires testing critical systems during initial implementation and after each and every change, and then remediation to ensure systems remain secure over time.

Encryption of protected health information (PHI), as a way to limit access and protect data as it traverses open networks like the Internet. To truly protect patient data, however, encryption must be used on all sensitive data no matter where it resides, at rest and in transit.

Healthcare organizations need to be especially cognizant of the fact that compliance does not equal security. To truly protect privacy and provide patient data security, a shift in mindset is required, meaning healthcare organizations need to adopt multiple layers of security, including internal segmentation to manage and mitigate the rising threat landscape.

Fortinet’s broad portfolio of solutions for healthcare can seamlessly extend network security to protect sensitive data and resources, comply with regulations and standards such as HIPAA and PCI, and enable secure care delivery for the entire fabric of your infrastructure. A partner of Fortinet, Resilient Intelligent Networks can  help you create and deploy a strategy that’s right for your healthcare organizations.