Healthcare // Security & Privacy
News
7/29/2014
03:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Security: CSOs Needed

Too many healthcare environments cling to insecure legacy systems and lax accessibility standards. It's time to enact strong security leadership.

Healthcare IT Cloud Safety: 5 Basics
Healthcare IT Cloud Safety: 5 Basics
(Click image for larger view and slideshow.)

Facing potential HIPAA audits, some healthcare organizations are struggling to attain full-fledged security.

Until healthcare providers recognize and address their security weaknesses, they risk data loss, vulnerability to hacking, and HIPAA non-compliance. While some hospitals are expending the appropriate resources, experts say too many have yet to fully embrace the philosophy and culture of security necessary to protect patients, employees, and partners. Currently about 52% of healthcare organizations have a full-time resource for security, according to the 6th Annual HIMSS Security Survey. In terms of investment, 30% spent 1% to 3% of their budgets on IT security; 19% spent less than 1%, and another 19% spent between 4% and 6% of IT budget, the report found.

HIPAA mandates healthcare organizations designate someone to formally oversee HIPAA compliance. But that individual is not necessarily a chief security officer or chief information security officer, cautioned Brian Evans, senior managing consultant at IBM Security Services, in an interview. It could be a nurse, administrator, IT executive, or even combination of people who take on the role in addition to other responsibilities.

"I would say a majority [do], but I'd be hesitant to hedge on any kind of majority that may have someone who's designated," he said. "On paper they can say, 'We have somebody dedicated to the cause.' In reality they may have not have the skillsets. "

[Insecure communications in healthcare can be costly and dangerous. It's time to step it up. Read Insecure Communications Costly For Hospitals.]

Rather than hire a dedicated CSO, some healthcare providers implement security "by committee." "There is nothing in the HIPAA security rule that says you cannot [do that]," said Evans. "It's more challenging to manage a security program and function by committee. I would say we still have a long way to go for the level of security maturity we need within healthcare."

Finding a CSO, however, can be challenging. Many providers want a CSO with prior healthcare experience. One of Evans' clients, for example, received many contenders with excellent security credentials but no industry knowledge. The client ultimately hired a CSO with less security knowhow. "I advocated I could teach the healthcare experience much easier than I could teach them the security," Evans said. "Those candidates, quite frankly, were less qualified based on their security skills and experience -- but they had spent time in healthcare and that had been [the client's] true qualifier."

Physicians and other healthcare "end users" can be particular, and many are resistant to onerous security measures. But they are no different in that regard from other professionals, such as pilots, Evans pointed out. CSOs driven to help their new healthcare organization become more secure want to learn the terminology, workflow, and business processes, and they will do so in order to succeed.

Perhaps most importantly, CSOs bring order to the chaos of an unstructured, unmanaged approach to security. Without appropriate leadership or resources, hospitals cannot fully integrate security throughout the organization, conduct full risk assessments, or create a governance structure. Security processes must separate vulnerabilities and threats, Evans said, not lump them together. And healthcare organizations must follow stringent policies and methodologies.

Governance, risk, and compliance permeate every aspect of Health Care Service Corp. (HCSC), according to Ray Biondo, CISO of the insurance giant. "Every new technology we introduce, every old technology we retire, technologists have to follow. As a security organization -- we're more of a governance risk and compliance group -- we're the ones who make sure these processes are being followed," Biondo said in an interview earlier this year.

"We're also self-checking. We self-audit," he continued. "A lot of people don't understand what governance means. Governance means you're not only following the right controls put in place, but you have good solid oversight of how these processes are being followed. You're ensuring people are following processes you've put in place."

Without full-time security leadership, some hospitals can't correctly address even security basics such as encryption and passwords. Evans cited one example in which a hospital standardized on two-character passwords because legacy software could not handle more complex security measures. The better approach: Standardize on more complicated password procedures, such as a minimum of eight characters including numbers and symbols, and create an exception for the legacy application.

Of course, CIOs help protect hospitals, but their focus often centers on how technology can enhance operations in areas such as improving patient care, streamlining communications, or increasing bill collection. CSOs, however, address all areas of security, including physical safeguards and even old-fashioned media like paper.

"When we think of data breaches and security law, the first thing that comes to mind is someone hacking into a computer network or stealing a laptop -- but we all [still] have paper," Jennifer Christianson, a shareholder who specializes in healthcare law at Carlton Fields Jorden Burt, pointed out. "You have to think of physical security -- basic things like where printers are located, what kinds of computers you have, who has access internally at your company to sensitive information. People need to reexamine not just security for networks and computers, but physical security."

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/31/2014 | 11:33:39 AM
Re: the future
Actually, a lot of studies indicate internal threats are more dangerous than hackers. Whether they're simply making mistakes (like sending PHI in unecrypted ways or leaving unsecured laptops where they can be stolen) or disgruntled and malicious, employees cause most data losses and breaches. Hackers get the headlines and have the potential to do untold amounts of damage if they crack the databases of hospitals, insurers, or government agencies like Medicare. CSOs and their teams have to protect against all forms!
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/31/2014 | 11:31:09 AM
Re: Meanwhile down here in the real world
Sure, every job posting has a long list of ideal specifications, but you'd certainly hope the Chief Security Officer would be very strong and knowledgeable in security. If s/he is also knowledgeable in healthcare, well, that's great -- but undoubtedly, that exec also will demand a higher salary than a similar pro without healthcare expertise. We all start in any industry without much knowledge but we learn the terms, the slang, and everything else that makes one business different from another. A CSO -- a good CSO -- is driven hard to do just that. Thinking a CSO without healthcare experience will fail is extremely shortsighted. Knowing security is much more important than knowing the vertical, whichever vertical you're talking about, no matter how 'different' a board thinks it is.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
7/30/2014 | 12:38:42 PM
Re: the future
According where the future is leading us, I think health care centers should already be working on how to improve their I.T security issues. Hacking may be the greatest threat as far as data security is concerned but there is always something that can be done about this. I am just scared for them because if they cannot assure the public about their security now, when will they do it because some organizations do are not threatened at all by hackers and insecurity issues. They can borrow ideas I think.
CSPANJNKY
50%
50%
CSPANJNKY,
User Rank: Apprentice
7/30/2014 | 10:42:48 AM
From 1966 on...
https://www.youtube.com/watch?v=rRkGTNnEHk0 Watch Dr. Peel's TED presentation if you want to learn the enormity of the problem. 


CSPANJNKY
50%
50%
CSPANJNKY,
User Rank: Apprentice
7/30/2014 | 10:34:36 AM
Our Health Records already in Hands of WHO KNOWS WHO!
http://patientprivacyrights.org/ Dr. Peel's TED presentation is a good place to start if you want to see what federalizing our Health Care records has spawned. 



https://www.youtube.com/watch?v=rRkGTNnEHk0 I so wish Information Week would report on Dr. Peel's talk instead of dance around the edges. 

 

 
asksqn
100%
0%
asksqn,
User Rank: Ninja
7/29/2014 | 6:04:41 PM
Meanwhile down here in the real world
The most idiotic requirement is that experienced security personnel also have experience in healthcare.  Note to HR staff:  Ain't gonna happen!  In fact, the very definition of a purple squirrel is the "perfect" candidate who has the requisite dozen years plus work history that blends a wishlist of idealized employment history compiled by the largely clueless HR department and/or Administrator/D.O.N.  Until hospitals realize that RNs and other medical personnel won't also be I.T. security pros, the data breaches/HIPAA violations will continue.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.