10 Ways To Strengthen Healthcare Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy
News
8/26/2014
10:06 AM
Alison Diana
Alison Diana
Slideshows
50%
50%

10 Ways To Strengthen Healthcare Security

As recent hacks show, keeping a healthcare organization safe from security threats takes planning, technical expertise, and business knowledge. Has your team taken these 10 steps?
Previous
1 of 11
Next

In the wake of the Community Health Systems breach and FBI warnings about healthcare organizations' vulnerability, security has advanced to the top of many industry executives' to-do lists.

Real safeguards and policy implementations, however, speak louder than any number of crisis meetings. Securing any healthcare organization -- from a solo practice to multi-location hospital systems -- takes measured planning, technical expertise, and business knowledge. It's the only way security professionals can balance their quest for impenetrable devices and software against medical users' demand for easy, accessible data and tools.

"New regulations tied to the Affordable Care Act are now in effect regarding protected health information and electronic health records, which only underscores the need for data security to ensure privacy among patients," said Fred Chang, director of Darwin Deason Institute for Cyber Security, and Bobby B. Lyle, Endowed Centennial Distinguished Chair in Cyber Security at the Lyle School of Engineering at Southern Methodist University, in a statement. "Cyberspace can be a pretty bad neighborhood, with too few barriers standing between hackers and their targets. Healthcare providers recognize that data security is of vital importance to their business." 

Healthcare organizations are particularly vulnerable. They house both personal health and payment information, plus intellectual property -- all lucrative targets for hackers. But most employees want to heal people, not become technologists, and might view technology protections as healthcare speed bumps. As providers, payers, employees, patients, and partners become increasingly intertwined through shared data, transparency, and analytics, the opportunities for loss, error, or theft grow exponentially.

Within healthcare, 46% of all breaches occurred via theft or loss, while insider abuse caused 15% of incidents, and point-of-sale intrusion generated 9% of events, according to the "2014 Data Breach Investigations Report" from Verizon. Compared to other verticals, healthcare had the highest percentage of incidents from theft or loss, the study found, suggesting room for improvement.

Healthcare also performed poorly in "miscellaneous errors," a hodgepodge category of misidentified emails and faxes or neglected software patches, the Verizon study found. But employees don't deserve all the blame. Outsiders -- such as business associates, contractors, and suppliers -- accounted for 68% of the top 10 miscellaneous errors.

Education and regular checks and balances decrease the frequency of incidents. Technologies such as data-loss-prevention software monitor emails and faxes, while mandating that IT alone disposes of equipment helps ensure fewer data-laden devices end up marked for recycling, eBay, or the trash.

Policies are critical to ensuring that an organization's security message permeates departments and shifts. It is one reason a growing number of healthcare organizations are hiring chief security officers (CSOs) or chief information security officers (CISOs) to oversee and govern all areas of protection.  

These technology professionals play an important role; security knowledge is vital, but they also require business expertise in healthcare, said Prof. Amit Basu, Carr P. Collins Chair in MIS and chairman of the ITOM Department at the Cox School of Business at Southern Methodist University. Partnering with HITRUST, the school developed a weeklong Healthcare Information Security and Technology Risk Management Graduate Certificate Program for upper and middle managers, he told InformationWeek.

"We do find that a number of healthcare organizations appoint people... whose training has been primarily in the domain role of healthcare or healthcare management and perhaps not as much the information security or security management roles. The goal of the program is not directly to influence hiring practices or priorities," Basu said. "[This program] will enable these folks who are primarily technology professionals to get an appreciation for management challenges, and perhaps this will increase the comfort of senior execs who are choosing professionals to fill these [C-level] roles."

With appropriate resources at their disposal, healthcare security professionals can expand their existing policies and technologies. Click through our slideshow to see the top 10 security improvements we believe healthcare must make if it is to withstand the growing threat of data theft.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
8/26/2014 | 3:24:18 PM
Healthcare security
The only thing worse than hackers is a badly organised patient information management system. Not everytime are hackers responsible. When healthcare is being talked about, we are assuming that the hospital (or chain of hospitals) have a central server which allocates files to patient information. What happens mostly is that this kind of networking does not align up with efficient management and the patient information (and not the case file and treatments offered) stays in the system long after the patient has been discharged.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/26/2014 | 3:36:35 PM
Re: Healthcare security
That's a great point. Hackers are less likely to be the culprits. It's much more likely to be employees, accidentally or on purpose. And as we've seen from breaches in both healthcare and other industries, all too often they occur because simple steps are not taken. Automating processes really helps; it eliminates the need for someone to remember to do something, always a good thing! 
asksqn
50%
50%
asksqn,
User Rank: Ninja
8/26/2014 | 7:16:07 PM
So easy even a CEO can see it
Excerpt >>We do find that a number of healthcare organizations appoint people... whose training has been primarily in the domain role of healthcare or healthcare management...<<

/Excerpt

 

And there is the entire crux of the problem right there.
pcharles09
50%
50%
pcharles09,
User Rank: Ninja
8/27/2014 | 12:17:51 AM
Re: Healthcare security
@Alison,

More importatnly, automation prevents users from screwing things up or being too 'creative' with tasks.
progman2000
50%
50%
progman2000,
User Rank: Ninja
8/27/2014 | 7:19:57 AM
CSO?
Just what the business world needs, another C-level position that will make more money than me.  I can kind of see the logic but so many organizations are top heavy as it is, is concocting another high level position really the answer to this problem?  Most hospitals are spread razor thin as far as budget to begin with...
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
8/27/2014 | 9:42:42 AM
Re: Healthcare security
Let's not forget the staggering 68% of incidents caused by outsiders!  That's quite a staggering statistic! This means there are lax controls around identity and access management.  Between this risk and Data Loss Prevention from loss/theft, it's easy to see that there are a lot of gaps in policies relating to how data is used, accessed and stored.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/27/2014 | 12:34:25 PM
Re: So easy even a CEO can see it
Exactly! Surely you'd want a chief SECURITY officer to be expert in security. Healthcare experience will come. This exec certainly is motivated to learn the ins and outs of the business -- and even if someone knows one hospital, each facility has its own nuances and workflows anyway!
Alison_Diana
100%
0%
Alison_Diana,
User Rank: Author
8/27/2014 | 12:37:03 PM
Re: CSO?
I can see why the thought of another c-level might appear unnecessary but who is responsible for security if not a CSO? The CIO? Well, the CIO already oversees everything IT -- and security isn't only tech-related. The CFO? Security should not be ruled by finance, otherwise money talks and security measures walk. The CEO? They have enough responsiblities already? And we know what happens when anything is ruled by committee! The problem with having a lower-level person rule security is it doesn't get enough visibility or leverage, and requests flounder. So I stick by that recommendation, a recommendation I picked up from many security professionals. And it's a great goal for security execs who aspire to the c-suite.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/27/2014 | 12:38:19 PM
Re: Healthcare security
Absolutely! It's one reason a CSO is so important. They should either be strong in governance or, depending on the organization, work with lead counsel on these efforts to ensure data policies and guidance are strong -- and followed.
Henrisha
50%
50%
Henrisha,
User Rank: Strategist
8/27/2014 | 1:38:55 PM
Re: Healthcare security
True. Employees' inadvertent mistakes can often cause so much damage and problems. It's unfortunate but sometimes you have to remove and just take out the human factor, and you can see the number of errors go down with automation as well.
Page 1 / 2   >   >>
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll