Data security and compliance are birds of a feather in the health care sector. The former broadly addresses the safeguarding of electronic health records and other protected health information (PHI). The latter specifies technical guidelines to achieve the end goal. Shirk elements of either, and you risk significant loss – if not in the form of reputational damage, class action lawsuits and operational disruptions, then in regulatory fines. Under the Health Insurance Portability and Accountability Act, for example, penalties for a single violation can reach $50,000, and cap out at $1.5 million annually.
Taken as a whole, then, data security and compliance are essentially different components of a single concept, which is the risk-based approach to cybersecurity. The question, of course, is how do you merge the management of data security and compliance?
The answer is through a security operation center.
Refining security controls
A SOC is essentially an organization’s way of implementing, managing and updating security controls according to current needs. When viewed from this perspective, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) can fall under the umbrella of those “needs.” Thus, in theory, a SOC should be accountable for building out the security controls for maintaining compliance. That, of course, brings us to the next question: How does a SOC do this?
To fully answer this question, first consider just some of the basic technical safeguards required or addressable under HIPAA:
- Implement access control: This refers to the provision of unique usernames and PINs to track user identities, both for regular use and also for emergency procedures.
- Authentication: Users must be authenticated to verify their identities.
- Encryption (addressable): Entails the encryption and decryption of PHI, in rest, or in transit.
- Audit controls: The implementation of hardware, software and procedural policies that “record and examine activity in information systems” containing PHI.
Health care institutions must also be compliant with HITECH, which requires the digitization of PHI and the subsequent sharing of this information with doctors and patients alike. This data must be stored and transmitted between patients, doctors and third-party vendors securely. In the event of a breach, HITECH requires any patient whose PHI may have been affected to be notified, even if no harm is expected to come of the intrusion.
Where SOC-as-a-Service comes into the picture
“Maintain compliance and improve overall cybersecurity.”
To reiterate, the purpose of a SOC is to oversee the entirety of a cybersecurity strategy. In health care, compliance is an integral component of that strategy, which means that to an extent, compliance is under SOC’s purview. Security teams, for instance, are responsible for ensuring the proper authentication is deployed and that user account controls are strong.
More importantly, the aforementioned “audit control” function requires the constant recording and examination of activity that takes place within IT systems housing PHI. For any person who is familiar with the concept of security information and event management (SIEM), you may have some ringing in your ear at the moment. The purpose of SIEM is to analyze all network activity so as to identify threatening behavior. Put differently, you were auditing the network. Apply this threat detection functionality across a health care institution’s sensitive IT systems, and you’ve effectively laid the groundwork to comply with audit controls measures under HIPAA.
The only problem with SIEM – and SOC to an extent – is the amount of time, money and expertise needed to manage, operate and maintain it. At the same time, the opportunity to simultaneously manage network security and compliance seems too good to pass up.
This is where SOC-as-a-Service comes into the picture. Rather than implementing the hardware and software needed to run a SOC, and then staffing security engineers 24/7/365 to manage it, health care organizations now have the option of partnering with cybersecurity vendors that can do the heavy lifting. The key benefits of a SOC – threat detection, incident response, threat intelligence analysis, and of course compliance management – are realized with significantly less overhead.
Security engineers handle all of the above, while acting as consultants who can recommend controls to maintain compliance and improve overall cybersecurity.
In other words, it’s a full cybersecurity package.