As recent hacks show, keeping a healthcare organization safe from security threats takes planning, technical expertise, and business knowledge. Has your team taken these 10 steps?
Hire a CSO
Naming or hiring a C-level executive with security expertise to oversee their physical and cyber security is a must for healthcare organizations. Adding security responsibilities to another executive's job description doesn't work: Security is too complex, too integral, and too fluid to be one of many tasks on a to-do list. Healthcare experience, while valuable, should not be the main priority. Executives knowledgeable in security will quickly pick up an organization's workflow, lingo, and criteria. It's much harder to glean security expertise on the job, experts say.
Smaller organizations without the infrastructure or resources to hire a CSO should consider outsourcing the job to a professional services firm that specializes in healthcare security. Make sure an attorney reviews the contract and that any prospective partner meets business associate requirements. Alternatively, organizations can hire a temporary CSO. These are security professionals with industry expertise who review the situation, create guidelines and roadmaps, and work for a contracted period, such as a year, said Brian Evans, senior managing consultant at IBM Security Services, in an interview last month.
Untie the CSO's hands
All too often, CSOs reside in a hellish land of tremendous responsibility for problems they're given little power to solve, said Mansur Hasib, a longtime healthcare chief information security officer (CISO) and author.
Frequently, organizations require the CSO to report to the CFO, a management structure that typically ensures cost -- not security -- rules decisions. CSOs should report to the CEO; otherwise, their authority is eroded.
Cover the basics
Take a corporate selfie
Before discovering what they need to do, healthcare organizations must take stock of everything they own and use. Data is now spread across a growing number of devices, which improves care but also increases the risk of data loss or misappropriation. Because many device purchases occur without IT's input, it's vital for security professionals to review the risks and find the appropriate protections.
Wearables, apps, the Internet of Things, robots, and other technologies improve care and and reduce costs but generate privacy worries. The Internet of Things will infiltrate healthcare by 2020, Gartner predicts, with the entire market expected to add $1.9 billion in economic value. Healthcare, along with manufacturing, is leading adoption, the research firm said. Inventorying every tool -- and every vulnerability -- will only grow more challenging the longer healthcare organizations delay the process.
How many times have breaches made the Department of Health and Human Services' Wall of Shame because nobody encrypted laptops, IT failed to add a patch, or users chose insecure passwords? Automated tools that address these and other easily anticipated weaknesses save IT time and add another layer of security.
Security cannot operate in a vacuum. Even the savviest CSO cannot know each department's ins and outs, so it's critical for security experts to regularly meet with healthcare users to discuss their pain points, wishes, and preferences.
Educated healthcare users become the CSO's biggest advocates, informing colleagues and subordinates about new technologies or processes and leading by example. For the price of some bagels or pizzas, security professionals can gather invaluable insight, build internal bonds, and simplify their jobs.
Build a culture
Organizations cannot successfully tack on security. The concept must be engrained in each department and employee. Everyone in the organization must review prospective initiatives' risks versus benefits. Security should be a part of every project's conversation.
At the same time, security professionals must recognize that healthcare professionals view each extra step as time spent not treating patients. The most successful processes and products will be those that seamlessly integrate into workflows while protecting data.
Look to the G-men
After Community Health Systems was hacked, the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) pledged to continue efforts to educate healthcare organizations about potential threats. During the monthly HITRUST meeting, held a week after CHS's hack was published, FBI Supervisory Special Agent Michael Rosanova told attendees the agency wants to more quickly declassify information and work with industry executives to gain high-level classified clearance so they can better respond to threats.
"Maybe there are some things we need to do as an organization to get classified information into a usable method… and get it to the masses so they can do what they have to do," he said. "The partnership with us is emerging, and I'm very confident it'll grow into a very robust partnership between the FBI and the public healthcare sector. We're going to try our best of getting you that information in a timely fashion."
But healthcare organizations can't rely exclusively on federal sources for knowledge, he warned. "If there's an investigation ongoing and that's to do with national security and that information is classified, we're not going to be able to share. That's how we do business."
Learn from other industries
Healthcare is relatively new to digitization, and that means the industry can piggyback on lessons industries such as finance and retail learned the hard way. Because the government mandated widespread implementation of electronic health records and other tools, a security industry flourished to meet the flood of needs. By observing the sometimes-costly lessons Target and others suffered, healthcare organizations can eliminate costly and inefficient steps their peers on Wall Street and Main Street underwent.
In the process of vetting business associates' security and privacy processes and technologies, healthcare organizations should investigate partners' best practices and see whether any fit their workflows or models.
Healthcare organizations have embraced BYOD, with 81% implementing some form of BYOD, Ponemon found last year. But for a successful BYOD program, organizations must take precautions, including a mobility usage policy that details employee responsibilities, education, and penalties. Virtual data infrastructure (VDI) -- which keeps patient data off users' phones -- and mobile device management (MDM) software make it possible for IT to protect data assets and allow employees to securely use their preferred tablets or smartphones.
To combat the use of potentially harmful apps, CSOs should create an internal app store, replete with tested app choices for everything from work to entertainment.
The Internet of Things movement, provision of free WiFi to patients and their guests, and the adoption of tools such as secure messaging all mean wireless networks face a steadily increasing load -- and are more attractive to external and internal threats. Fortunately, there are plenty of tools and standards to help healthcare organizations secure these communication backbones.
Organizations should create automated procedures to update devices and users; ensure ex-employees no longer have access to any networks, data, or equipment; and make sure no new acquisitions are left unprotected.
To view the full article visit: