Protecting Software Assets a Continual Process

Posted On:

By Adam Cunningham, Senior Technical Consultant, Change Healthcare and Darold Gutierrez, Senior Business Systems Analyst, Change Healthcare
Protecting Home Care Software Assets

Adequately protecting your organization’s software takes a multi-pronged approach of both passive and active measures. Keys include making the software an unattractive target of cyberthieves, difficult to obtain, and hard to access. Monitoring helps identify potentially concerning patterns of activity and allows you to take measures more quickly in case of a breach.

Change Healthcare’s home care and hospice solutions include a protected health information (PHI) retrieval feature that removes admissions from field devices that are not assigned to a user, according to organizational rules.

This feature helps reduce PHI exposure by limiting cases downloaded on field devices to only what is needed to support production operations. It also increases productivity through faster transfer speeds and improves data integrity by reducing the chance of documenting on the wrong case.

Here are other ways you can help safeguard your home care organization’s software.

Mount a good defense

To help prevent an accidental or intentional breach, you first must have a strong firewall. You also should review a system’s audit logs to determine whether a device or a system is being attacked.

Second, you need anti-virus and anti-malware programs. Keep the security level turned up, but there certainly will be exclusions you must consider. Exclude only what is necessary, and then test the exclusions or non-exclusions to help ensure the anti-virus and anti-malware programs are working as you intended. If the solution you’ve chosen offers an audit mode, use that first so you don’t accidentally delete something that’s needed.

A good defense includes the users. Set password expirations that make sense, using guidelines from the National Institute of Standards and Technology (NIST). Keep users out of key apps such as RegEdit, but know that disabling right click is not as helpful. For install elevation, be sure to keep a local admin log-in.

Finally, make sure all your software is patched on a continuing basis. Use WSUS (Windows Server Update Services) to select and distribute patches you approve, and set critical security patches to automatically apply. Keep up to date with non-Microsoft tools too (ex: Change Healthcare apps).

Establish audit trails, then check them

Admittedly, poring over audit logs can seem a tedious and unnecessary task—until you spot an anomaly.

Your first task is to set up an audit trail. Check with the home health and hospice regulatory agency in your state to see whether there are policies regarding the detail required of an audit trail and how long you should keep it.

The second step is just as important, but it’s often overlooked. Once you have an audit trail, use it to spot anything out of the ordinary. Here are five scenarios to check:

  1. Did any users look at two standard deviations more data than normal during a time period?
  2. Did a user’s audit trail show access to a patient for whom the user should not have access?
  3. Did a user change sensitive settings to which she should not have access?
  4. Find out if any devices are reporting consistent security breach attempts, such as failed logins and firewall traverse attempts
  5. Check network logs to note any odd traffic patterns. (Example: Last week a clinician who never does anything but surf social media suddenly uploads 50GB of data over a secure SSL Web connection.)

On a macro level, determine which people have rights to edit system settings and whether anyone without access edited anything. You also should know whether any user can disable auditing. Finally, find a third-party auditing tool and review event log data as it is collected.

Across industries, a single data breach costs an average of $4 million to mitigate, so protecting your organization’s technology assets is crucial to the success of your agency. If you’re unsure of how to proceed, a security consultant can help put you on the path to compliance.

The information provided in this Change Healthcare site is provided to you for informational purposes only. The materials are general in nature, are not offered to you as advice on a particular matter, and should not be relied on as such. Use of this website does not constitute a legal contract or consulting relationship between Change Healthcare and you.

Leave a Reply

Your email address will not be published. Required fields are marked *