by Brian Doerr, CHC SVP Information Technology & Security and Privacy Officer
In this era of electronic data, we’ve come to expect that personal information stored electronically will remain private, accessible only on a “need-to-know” basis to those you identify. But what happens when organizational data becomes available to others as a result of cyber attacks? As an industry, hospitals face particular challenges.
In fact, health care organizations top the list of the most cyber-attacked industries, followed by manufacturing, financial services and the government. Data breaches place private patient data at risk, and HIPAA standards and compliance audits don’t adequately address security issues.
Some of the reasons why health care security risks have steadily increased include:
- Enhanced access to data via the web and remote devices;
- Application sprawl, as applications are brought in to satisfy niche requests and unused applications are not decommissioned;
- Use of mobile and embedded systems such cell phones, laptops, pumps, printers, copiers and more;
- Limited resources and staff expertise to address growing security needs.
Although the healthcare industry has taken steps to manage IT intrusions, risk management ultimately falls to health systems, hospitals and physician practices. Based on my experience working with these front-line providers, here are some best practice tips to quickly identify, reduce, and manage hospital risk while balancing safety and access to data.
- Be proactive. It’s not a matter of IF but rather WHEN your organization will be attacked - have a plan in place to quickly identify and mitigate threats.
- Connect IT security to organizational risk. Reframe the conversation on IT security as a significant organizational risk, beyond the IT function or “checkbox” compliance. Include hospital leadership and an IT steering committee in evaluating the business risks of seemingly small IT implementations to large scale capital investments.
- Study security roles. Do you really have a Chief Information Security Officer? Perhaps you have an IT Director and/or Security Officer, and they are different individuals. Do they have the training needed to manage security? You may want to re-evaluate positions and governance structure based on a risk/security focus.
- Monitor data flow. Ensure data is secure at every stage of the workflow, from data flowing through the network, to endpoint devices. Confirm that the network and systems are logging activity and are consistently monitored. Conduct monthly/quarterly penetration testing and incident response exercises and earn from testing outcomes.
- Analyze the IT environment. Simplify systems whenever possible. Standardize remote access methods.
- Complete tactical modifications. Review processes and systems needed to improve security, such as 2-factor authentication and single sign-on services. Also, evaluate devices used in clinical settings and their need for full internet access. Ensure all devices with data stored locally are encrypted.
- Communicate and educate. You can’t communicate “too much.” Inform end-users, management, and board members about cyber-security risks and stress their critical role in protecting the organization. Include education on cyber and physical security as part of orientation, and don’t forget ongoing communication with end-users. Let the community know what the facility is doing to protect their data.
Learn more about CHC Information Management Services including IT technology and security.