10 Ways To Strengthen Healthcare Security
As recent hacks show, keeping a healthcare organization safe from security threats takes planning, technical expertise, and business knowledge. Has your team taken these 10 steps?
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt1dd082e848a10160/64cb58331b69ce3b7026099b/castles-252233_640.jpg?width=700&auto=webp&quality=80&disable=upscale)
In the wake of the Community Health Systems breach and FBI warnings about healthcare organizations' vulnerability, security has advanced to the top of many industry executives' to-do lists.
Real safeguards and policy implementations, however, speak louder than any number of crisis meetings. Securing any healthcare organization -- from a solo practice to multi-location hospital systems -- takes measured planning, technical expertise, and business knowledge. It's the only way security professionals can balance their quest for impenetrable devices and software against medical users' demand for easy, accessible data and tools.
"New regulations tied to the Affordable Care Act are now in effect regarding protected health information and electronic health records, which only underscores the need for data security to ensure privacy among patients," said Fred Chang, director of Darwin Deason Institute for Cyber Security, and Bobby B. Lyle, Endowed Centennial Distinguished Chair in Cyber Security at the Lyle School of Engineering at Southern Methodist University, in a statement. "Cyberspace can be a pretty bad neighborhood, with too few barriers standing between hackers and their targets. Healthcare providers recognize that data security is of vital importance to their business."
Healthcare organizations are particularly vulnerable. They house both personal health and payment information, plus intellectual property -- all lucrative targets for hackers. But most employees want to heal people, not become technologists, and might view technology protections as healthcare speed bumps. As providers, payers, employees, patients, and partners become increasingly intertwined through shared data, transparency, and analytics, the opportunities for loss, error, or theft grow exponentially.
Within healthcare, 46% of all breaches occurred via theft or loss, while insider abuse caused 15% of incidents, and point-of-sale intrusion generated 9% of events, according to the "2014 Data Breach Investigations Report" from Verizon. Compared to other verticals, healthcare had the highest percentage of incidents from theft or loss, the study found, suggesting room for improvement.
Healthcare also performed poorly in "miscellaneous errors," a hodgepodge category of misidentified emails and faxes or neglected software patches, the Verizon study found. But employees don't deserve all the blame. Outsiders -- such as business associates, contractors, and suppliers -- accounted for 68% of the top 10 miscellaneous errors.
Education and regular checks and balances decrease the frequency of incidents. Technologies such as data-loss-prevention software monitor emails and faxes, while mandating that IT alone disposes of equipment helps ensure fewer data-laden devices end up marked for recycling, eBay, or the trash.
Policies are critical to ensuring that an organization's security message permeates departments and shifts. It is one reason a growing number of healthcare organizations are hiring chief security officers (CSOs) or chief information security officers (CISOs) to oversee and govern all areas of protection.
These technology professionals play an important role; security knowledge is vital, but they also require business expertise in healthcare, said Prof. Amit Basu, Carr P. Collins Chair in MIS and chairman of the ITOM Department at the Cox School of Business at Southern Methodist University. Partnering with HITRUST, the school developed a weeklong Healthcare Information Security and Technology Risk Management Graduate Certificate Program for upper and middle managers, he told InformationWeek.
"We do find that a number of healthcare organizations appoint people... whose training has been primarily in the domain role of healthcare or healthcare management and perhaps not as much the information security or security management roles. The goal of the program is not directly to influence hiring practices or priorities," Basu said. "[This program] will enable these folks who are primarily technology professionals to get an appreciation for management challenges, and perhaps this will increase the comfort of senior execs who are choosing professionals to fill these [C-level] roles."
With appropriate resources at their disposal, healthcare security professionals can expand their existing policies and technologies. Click through our slideshow to see the top 10 security improvements we believe healthcare must make if it is to withstand the growing threat of data theft.
Naming or hiring a C-level executive with security expertise to oversee their physical and cyber security is a must for healthcare organizations. Adding security responsibilities to another executive's job description doesn't work: Security is too complex, too integral, and too fluid to be one of many tasks on a to-do list. Healthcare experience, while valuable, should not be the main priority. Executives knowledgeable in security will quickly pick up an organization's workflow, lingo, and criteria. It's much harder to glean security expertise on the job, experts say.
Smaller organizations without the infrastructure or resources to hire a CSO should consider outsourcing the job to a professional services firm that specializes in healthcare security. Make sure an attorney reviews the contract and that any prospective partner meets business associate requirements. Alternatively, organizations can hire a temporary CSO. These are security professionals with industry expertise who review the situation, create guidelines and roadmaps, and work for a contracted period, such as a year, said Brian Evans, senior managing consultant at IBM Security Services, in an interview last month.
All too often, CSOs reside in a hellish land of tremendous responsibility for problems they're given little power to solve, said Mansur Hasib, a longtime healthcare chief information security officer (CISO) and author.
Frequently, organizations require the CSO to report to the CFO, a management structure that typically ensures cost -- not security -- rules decisions. CSOs should report to the CEO; otherwise, their authority is eroded.
Before discovering what they need to do, healthcare organizations must take stock of everything they own and use. Data is now spread across a growing number of devices, which improves care but also increases the risk of data loss or misappropriation. Because many device purchases occur without IT's input, it's vital for security professionals to review the risks and find the appropriate protections.
Wearables, apps, the Internet of Things, robots, and other technologies improve care and and reduce costs but generate privacy worries. The Internet of Things will infiltrate healthcare by 2020, Gartner predicts, with the entire market expected to add $1.9 billion in economic value. Healthcare, along with manufacturing, is leading adoption, the research firm said. Inventorying every tool -- and every vulnerability -- will only grow more challenging the longer healthcare organizations delay the process.
How many times have breaches made the Department of Health and Human Services' Wall of Shame because nobody encrypted laptops, IT failed to add a patch, or users chose insecure passwords? Automated tools that address these and other easily anticipated weaknesses save IT time and add another layer of security.
(Image: SplashData)
Security cannot operate in a vacuum. Even the savviest CSO cannot know each department's ins and outs, so it's critical for security experts to regularly meet with healthcare users to discuss their pain points, wishes, and preferences.
Educated healthcare users become the CSO's biggest advocates, informing colleagues and subordinates about new technologies or processes and leading by example. For the price of some bagels or pizzas, security professionals can gather invaluable insight, build internal bonds, and simplify their jobs.
Organizations cannot successfully tack on security. The concept must be engrained in each department and employee. Everyone in the organization must review prospective initiatives' risks versus benefits. Security should be a part of every project's conversation.
At the same time, security professionals must recognize that healthcare professionals view each extra step as time spent not treating patients. The most successful processes and products will be those that seamlessly integrate into workflows while protecting data.
Healthcare is relatively new to digitization, and that means the industry can piggyback on lessons industries such as finance and retail learned the hard way. Because the government mandated widespread implementation of electronic health records and other tools, a security industry flourished to meet the flood of needs. By observing the sometimes-costly lessons Target and others suffered, healthcare organizations can eliminate costly and inefficient steps their peers on Wall Street and Main Street underwent.
In the process of vetting business associates' security and privacy processes and technologies, healthcare organizations should investigate partners' best practices and see whether any fit their workflows or models.
Healthcare organizations have embraced BYOD, with 81% implementing some form of BYOD, Ponemon found last year. But for a successful BYOD program, organizations must take precautions, including a mobility usage policy that details employee responsibilities, education, and penalties. Virtual data infrastructure (VDI) -- which keeps patient data off users' phones -- and mobile device management (MDM) software make it possible for IT to protect data assets and allow employees to securely use their preferred tablets or smartphones.
To combat the use of potentially harmful apps, CSOs should create an internal app store, replete with tested app choices for everything from work to entertainment.
The Internet of Things movement, provision of free WiFi to patients and their guests, and the adoption of tools such as secure messaging all mean wireless networks face a steadily increasing load -- and are more attractive to external and internal threats. Fortunately, there are plenty of tools and standards to help healthcare organizations secure these communication backbones.
Organizations should create automated procedures to update devices and users; ensure ex-employees no longer have access to any networks, data, or equipment; and make sure no new acquisitions are left unprotected.
The Internet of Things movement, provision of free WiFi to patients and their guests, and the adoption of tools such as secure messaging all mean wireless networks face a steadily increasing load -- and are more attractive to external and internal threats. Fortunately, there are plenty of tools and standards to help healthcare organizations secure these communication backbones.
Organizations should create automated procedures to update devices and users; ensure ex-employees no longer have access to any networks, data, or equipment; and make sure no new acquisitions are left unprotected.
-
About the Author(s)
You May Also Like