- July 9, 2020
- Posted by: Pat Riot
- Categories: CyberSecurity, Healthcare, Security Operations
When we think of insurance, we think of a pool of individuals who throw their money together in order to have an assurance that if the time comes, you will have help paying for the expenses. Virtually everyone has health insurance. Health insurance isn’t something we collectively use daily, yet, a good-sized portion of every paycheck goes towards it. God forbid a day comes when you need to use your health insurance, you are still required to meet a premium. So even though you are proactively paying for something, the insurance companies are reactively paying out portions and leaving you with the rest.
Cybersecurity could arguably be considered an insurance policy. Some businesses are even required to have cyber liability insurance. However, the difference between any other type of insurance and managed security is that even if you are going to consider managed security services as a form of insurance. It needs to be understood that it is an entirely proactive form of insurance. What does a proactive form of insurance look like? Well instead of the traditional insurance policy’s process of taking heavy monthly payments in comparison to coverage, waiting until something bad happens, looking over the case/doing an investigation of sorts, and then writing out the amount they’ll cover in their summary of benefits & coverage. Managed security services take an equitable monthly payment, especially regarding the coverage. Being proactive means that once the software is installed and deployed, a baseline will be gathered. Once the software understands the baseline then from that point forward it will begin learning and predicting. If you were to stumble upon a site you were not to be at, a flag would be triggered in the system and it would alert you to a warning. If the bad site were to try anything, the software is smart enough and efficient enough to trap, neutralize, and alert our security team of the instance.
In managed security, your monthly payment is actively looking for new threats, vulnerabilities, and any kind of suspicious activity within your network and devices. From your cell phone to your desktop, from your laptop to your tablet, every device that is connected to your network could compromise your network. That statement isn’t meant to scare anyone, but simply to show the potential vulnerabilities that could be present on a rudimentary network, even a relatively advanced network could be at risk if the data they stored on their network was valuable enough to an individual that wanted it bad enough. Managed security services prevent the likelihood of an attack happening in the first place. By utilizing a Security Operations Center (SOC) in your security portfolio, not only are your compliance needs met and you no longer have to worry about an audit, but your network is not only being watched by an artificially intelligent, machine learning software; but that software is piloted by a team of highly specialized security engineers. With a security posture that is as robust as that, you might expect to pay an arm and a leg. But you don’t.
With managed security there are three primary reasons that a consumer comes out on top. The first is simply the level of security that you receive. End point protection, Managed Detection & Response, Security Operations Center, compliance needs are simplified, quarterly penetration tests, security assessments, vulnerability scans and a lot of other ‘cyber terms’ that truly do make a difference is the accountability and resilience of your network and ultimately, the security of your patients data. So, what does a Security Operations Center do? Well, under HIPAA and the HITECH acts, there are eight basic administrative, physical and technical safeguards that are required:
|Conducting risk assessments (must be done at regular intervals)||Identifies every area in which ePHI is used and determines all the ways a breach could occur.||Implement a means of access control||Assigning a centrally controlled username and password for each user, but also govern the release/ disclosure of ePHI|
|Introduce Risk Management Policy||A sanctions policy must be introduced to employees that fail to comply with the HIPAA regulations||Introduce Activity logs and Audit Controls||Audit controls require attempted access to ePHI to be registered and recorded once it has been accessed.|
|Develop Contingency Plan||In an emergency critical business must continue and the integrity of ePHI must remain intact.|
|Restricting Third Party Access||ePHI must not be accessible to unauthorized parent organizations, subcontractors, or other business partners.|
|Policies for the use/positioning of workstations||Limiting the amount of accessibility, visibility, and usability of workstations storing ePHI is required by HIPAA|
|Policies and Procedures for Mobile Devices||If a user is allowed access to ePHI on their personal device, ePHI must be removed from their device before, selling the device, or leaving with the phone.|
At Steel Patriot Partners we address every single one of the required and addressable safeguards in order to be beyond fully compliant. Compliance is one of the single biggest issues that is immediately addressed when you at a SOC to your security team. They are responsible for the authentication of users and security information and event management (SIEM). They implement access controls and give usernames and keep up with passwords. A SOC is responsible for the encryption of ePHI to maintain its integrity and stay within compliance. And it monitors your networks 24x7x365. As you can see, just by adding a Security Operations Center to the team immediately addresses a majority of your compliance needs.
So how does it all become economical? Well if you have an in-house IT team, it takes a massive amount of resources (time, money, people, hardware, & software.) However, if you outsource – even as a secondary source – the amount of resources required as a cost dramatically decreases. This is known as SOC-as-a-service. When you make a Security Operations Center an outsourced commodity a business is no longer responsible for the initial set up and costs of a security team. Instead they only pay for the service an in-house team would provide. The key saving come in the form of the services you receive. Specifically, threat detection, incident response, user behavior analytics, intelligence analysis, and of course – user education all become readily available with dramatically less overhead.