The healthcare industry is shifting focus to personalized preventive care and an increasing number of patients are expecting healthcare to be delivered as a service. Healthcare providers are catering to these expectations by building their digital ecosystem, with around 60% of them having made this a top priority. Due to this, Protected Health Information (PHI) & Personally Identifiable Information (PII) over the Cloud has proliferated, leading to innumerable Cybersecurity challenges. For instance, The Wannacry ransomware attacks on healthcare institutions resulted in $100s of millions in losses.
Compliance requirements like Health Information Portability & Accountability Act (HIPAA), General Data Protection Regulation (GDPR) etc. have increased CISO/Privacy Officers’ focus towards protecting PHI & PII data. Healthcare organizations in reality are finding it difficult to protect patient data due to a lack of single source of truth on personal data in the cloud ecosystem. Proliferation of IoT and mobile devices in healthcare has increased the attack surface several fold. The rise of highly innovative and sophisticated fraudsters coupled with non-availability of skilled talent to counter new types of attacks has amplified the challenges associated with ensuring a secure digital ecosystem.
Healthcare companies have to ensure secure storage and usage of sensitive patient data. Added to this are complexities related to multiple cloud systems connecting with each other within the healthcare ecosystem and advanced threats targeting them. The compliance requirement are innumerable – HIPAA, HITECH, FDA regulations, GDPR, CCPA, PCI DSS etc. just to name a few. Given these complex compliance requirements, it is best to adopt Wipro’s Common Control Framework incorporating the various regulations and standards governing the healthcare industry. We use a risk-based approach to decide on appropriate controls as per business needs, as a blanket enforcement of all controls will be cost prohibitive.
Wipro’s Cloud Security Compliance Assurance Program provides a holistic approach for Cloud Risk Assessment. It uses an effective strategy to treat and mitigate risks, utilizing Wipro’s Common Control Framework and best practices to proceed with recommendations and implement appropriate controls. This service is delivered using our Cyber Defense Platform, which uses a top down questionnaire based threat assessment method by leveraging MITRE attack framework, SANS threat vectors and SANS top 20 critical security controls. The platform also uses best of breed technologies like QualysGuard for vulnerability assessment and provides a real time assessment of regulatory compliance posture and efficacy of controls adopted. We provide quantified predictive risks obtained by Monte Carlo simulation of business criticality and associated risks of respective assets. We also provide qualitative inputs on risks derived at organization level, control level and asset level.
Automation of the continuous compliance process can be achieved using appropriate tools, such as RSA Archer, MetricStream etc. This will help perform complex multi object validations, provide comparisons and appropriate benchmarks, provide actionable path to improvement and prioritize the remediation process.
Continuous Compliance - A Holistic Approach