Hospital Executives Need to Develop Their Own Cybersecurity VisionHealthcare organizations remain large targets for cyber criminals and leaders must think beyond compliance to stay secure By: Cliff Kittle
In our work with hospitals, we see similar cybersecurity issues. Most hospitals have the main cybersecurity goal -- to be compliant with HIPAA -- but those compliance requirements don't adequately secure networks. The healthcare organizations we talk with believe once they're in compliance they're secure. However, the numerous highly publicized breaches that have compromised millions of patient records and the spate of ransomware attacks that have encrypted files so they cannot be accessed have made it clear to many organizations that compliance is not enough. Numerous healthcare publications, seminars and information security webinars, have all touted the message that compliance alone does not ensure the security of electronic Protected Health Information (ePHI). Compliance is only a basic part of securing a network. Rather than making compliance the goal, it should be security. When a network is secured, compliance easily falls into place.
Security rests on the shoulders of hospital executives, and they must develop a vision of security for their unique operating environment. The vision should provide a clear understanding of the hospital's security goal and should emphasize the importance of each staff member's individual contribution to attaining and maintaining security. The vision must be stated, documented and enforced.
If protecting documents and patient data is part of your vision, you'll need to take the following actions:
- Change the security objective from compliance to security.
- Confirm with your security team that either your staff or a cybersecurity company you work with has the proper skills to handle the latest threats.
- Be sure your staff understands vulnerabilities in both your existing technologies and the new technologies that will be implemented to meet the industry's stated mission of “Improved Patient Outcome.”
- Make security part of the organization's culture and ensure that it is baked into business processes.
To achieve your vision, you'll need to establish objectives and an action plan. It should include a timeline, a list of the necessary resources (people), skills, and technologies (i.e. security controls, policies, and procedures), as well as incentives to encourage cooperation among employees. Improving your state of security starts with understanding its current level, which can be established by conducting a security assessment. That assessment will identify where your most critical data is maintained, who is using that data, how it is being used, how and in what format it is being transmitted to users, and where vulnerabilities exist. You can then determine the probability of those vulnerabilities being exploited, as well as the security controls you'll needed to reduce that probability to an acceptable risk. Due to the global deficiency in skilled security personnel, an independent security consultant might be the best person to help you identify which data is most vulnerable to attacks and which risks could cause the most expensive potential loss to your business.
The healthcare industry's operating environment involves the sharing of digital information on a very broad scope -- to doctors, hospitals, nurses, pharmacists and others -- and requires a macro approach to security. You must look at your entire network to understand what you need to do to secure it.
Without a security vision and a plan for achieving it, an organization will operate in a state of chaos when attempting to meet its requirements for ensuring the security, integrity, and availability of critical patient records. A vision won't get you security, but it will get your organization started in the right direction.
Click to download the Hospital Holes for Hackers infographic.