If it’s not every week, it’s every two weeks that we hear reports of a healthcare security breach and despite the healthcare regulations, we still have health systems that don’t seem to take data protection seriously enough or health systems that don’t build a security program into their businesses to ready against potential hacking.
We hear breach statistics in almost every article, circling the twittersphere, on every slide deck, on every webinar, or at every conference. But just once more, let’s look at why healthcare is a target.
In 2014, there were four times as many breaches in the healthcare sector than any other industry. Other industries include education, banking, financial, and government sectors. Some have suggested that the reason hackers are turning their efforts to the healthcare industry is because other industries are getting better at securing their data.
However, in healthcare, the profit potential is another factor.
Hacking healthcare data is a lucrative practice; health data is worth more on the black market than any other data set. It makes sense that so many healthcare organizations are a target, but that’s also what makes this alarming. That, and it’s incredibly easy to hack with the lack of healthcare security practices we have in place today.
Let’s look at this on the ‘back of the napkin’
Grab a blank sheet of paper and draw a box. Let’s say this “box” is your health system. List what security program you have in place today. Write the estimated amount of patient data you have stored. This is who you are protecting. Are your security efforts sufficient? For healthcare, I’m going to guess no because most organizations don’t even know where most of their data lives! Okay, now list what you could do to improve your program. Now if every CIO shared this piece of paper, what would it look like? It might look a lot like a checklist: risk assessment, technical testing, security controls review, information security review, performance monitoring, and governance.
We could “checklist” our way to “security” or even add a little governance in our program to show that we are meeting regulation with meaning, but if the threats keep coming, and we can’t keep up, so does the need for not just improvement, but security transformation and a security culture.
So what’s in the box?
It’s your health system, your organization, your security team, its actionable practices, a continuous process improvement, cyber security. It’s creating security longevity, a dedicated security trainer, a security culture, and a functioning business unit. It is your mindset.
A Functioning Security Business Unit
A CISO is critical within a healthcare organization and never more so than now. Healthcare’s complex data extends far and wide; from patients and wearables, to clinicians and employees accessing sensitive data on mobile devices. Not having a CISO in a sizable health system will not sit well with OCR should you be selected for audit. It is a first implementation step if you do not have one.
Implementing your security team outside of the IT Dept.
Security has become bigger than the IT department and requires a transformation from a technical asset to a business process that needs it’s own team and perspectives, and should act as risk advisors. A CISO, like the CIO, must understand the business. And an effective security program has the understanding of security outcomes, creates an evolution process, collaboratively documents business process, quantifies security risks, and automates the process.
Senior Risk Advisory Council
Establish a senior risk advisory council that consists of senior level executives that includes the CISO…and actually meet! These meetings develop procedures and best practices and record votes, which builds culture. Together, create your program and build in more of an understanding that, when making decisions, you look at the risks associated with the decisions. This team should become more cognizant that culture will help better execute your strategy.
The Privacy and Security Roadmap
What are the goals of the program and how do you get there? Build a new privacy and security roadmap that drives toward program advancement and a defensible resource plan such as cyber security preparedness. Ideas include the placement of a security staff member to stay on the ‘front lines’ of cyber threats, developments in policy, technology trends, and also have a dedicated team member to provide employee education and training on a quarterly basis. They are key players on your team that help fight against phishing and social engineering and also trending technologies.
Grow your security team to ready for potential hacking and establish a program with enough staff to consistently work in the future with rejuvenating processes in effort to prepare for tomorrow. As of today, most health systems are not proactive and some have the mindset that they’d rather just budget for when they do encounter a breach instead of protecting patient data. It’s flat out wrong. Also, when a breach does occur, scrambling to hire additional skillsets is hard to find on short notice. Build early, grow your team in advance.
*HIMSS reported in their cyber security study that 62% of respondents said there were too many new threats to keep track of.
Keeping pace with threats and technological trends is almost impossible, but is essential to your organization security practices and key in fighting against hacktivists. Just as in sports, when you’re focused on your goal, you’re ready for what comes at you creating performance. Sometimes you win and sometimes you’re outperformed. Either way you’re lessening the impact and will only get better. This is the mindset healthcare security executives should be practicing.
A Functioning Security Program includes:
- Annual Risk Assessment
- Functioning Security Business Unit
+Develop an extended security team outside of IT
+Implementing a CISO
+Establishing a senior risk advisory council
+Staff trainer and educator
- Auditing and Monitoring
- Business Associate Management
- Cyber security
- Governance programs (Data Governance, Cyber security Governance)
- Quarterly BC/DR, Incident Response Test
- Quarterly Security Controls Audit
- Quarterly Education Program Enhancement
- Mock cyber defense exercises
Old security programs may have included:
- A risk assessment every two years
- Ad-hoc processes
- Annual workforce education training
- Treats all risk equally
- IT responsible for security
New security team should include:
- Security evolution: consistent processes built into business models
- Prioritization system that sets threshold
- Dedicated security trainer
- Cybersecurity & cybersecurity governance
- Mock cyber defense exercise
- Risk Measurement
The current model risk assessment is inefficient and does not create ongoing visibility. As health systems use risk assessments and technical testing to assess our program, we need to provide our health systems with a better, more informed risk assessment. In order to meet compliance audits, it’s best to use an independent third-party to ensure adequate compliance and professional visibility. However, your health system risk posture cannot be formulated or determined by a third-party, only you or your executives can establish a risk profile.
Cybersecurity and Cybersecurity Governance
Keeping pace with cybersecurity, phishing attacks and the latest business and technology trends requires an information security team overhaul.
*87% of respondents indicated that information security had become a critical business priority and that –
*66% of organizations had experienced a security incident
Some large breaches such as Community Health Systems and Home Depot point to governance failures. On the surface it may look like technical vulnerability, but often times health systems are implementing cyber security at the wrong time in their development cycle and processes. Also, a big failure is when cybersecurity isn’t seen as a vital component to their security program or strategy. In return, the breach then has nothing to do with technology…
Now is the time to engage in awareness and readiness in your security program. We are seeing the largest incidences in healthcare breaches than we have ever seen before and at a pace we can’t keep up with. An evolving security program will level up security processes, making them high priority to the business as an ongoing process. Not only that, but also continually re-evaluates to ensure effectiveness. This and being on the ‘front lines’ when it comes to your program effectiveness, helping you become more resilient across the security ecosphere.
We have to take value in taking our programs beyond no program at all. For example, we cannot defend against phishing if only 5% of our workforce is defending against it.
*HIMSS Cyber Security study