Most of today’s healthcare organizations have adopted comprehensive cybersecurity practices to protect their information assets. To highlight current issues, trends and best practices, the Healthcare Information and Management Systems Society (HIMSS) gathered feedback from 126 qualified information security professionals from a variety of U.S. healthcare organizations. Seventy-one percent of respondents stated that their organizations allocate a specific part of their IT budgets towards cybersecurity, and 80 percent indicated that their organization employs a cybersecurity staff—often under the purview of chief information security officer (CISO).
While the catalyst for hiring a security officer is often reactive, following a major breach or another significant security incident, Wes Rhea, BioIQ’s chief compliance officer, recommends taking a more proactive approach to minimize the chance of a serious security event. He suggests appointing a senior security officer before issues arise, conducting regular risk assessments (at least once per year, as per HIPAA security rules), and being vigilant about identifying and quelling insider threats. “Internal breaches are not always malicious, or even intentional,” he explains. “They can stem from simple oversights—such as an unattended computer, tablet, or phone that displays patient data—as well as from careless network usage, such as inadvertently clicking on a malicious link in an email. Such actions can affect not just the computer at hand, but also other systems that are connected to the network.”
Rhea reminds healthcare organizations that security awareness and training are required under the HIPAA Security Rule. He enforces regular training for all BioIQ staff members, and he is also vigilant about educating the company about how to detect phishing emails and when to report suspicious incidents to the IT department. “Preventive cybersecurity should be a standard practice at all organizations, especially at healthcare organizations that deal with sensitive patient data,” he emphasizes.
Of course, astute CISOs and other information security professionals know that HIPAA compliance alone is not enough. Adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program. According to the HIMSS survey, healthcare organizations with a CISO or other senior information security leader tend to adopt holistic cybersecurity practices in a number of critical areas (see sidebar, “Rise of the CISO”). Ninety-five percent of these organizations follow the NIST Cybersecurity Framework, with its core functions to identify, protect, detect, respond and recover. This widely heralded framework, which was created through collaboration between industry and government entities, consists of standards, guidelines and practices to help manage cybersecurity-related risks. Some healthcare organizations also adhere to the HITRUST security framework—adopted by 41 percent of the HIMSS respondents.
These security frameworks help organizations build a comprehensive security program, and provide detailed guidance on how to identify and prioritize actions for reducing cybersecurity risk. Check out the complete 2017 HIMSS Cybersecurity Survey report for additional information and best practices on business continuity, disaster recovery, medical device security, packaged application software security, penetration testing, information sharing and cloud software security.
The Rise of the CISO
Sixty percent of the respondents to the HIMSS Cybersecurity survey indicated that their organizations employ a senior information security leader, such as a Chief Information Security Officer (CISO). These senior officers play an important role, focused on the following core tenets:
- Convey deep knowledge and expertise to ensure comprehensive information security in the healthcare environment
- Shape an organization’s information security program based on in-depth knowledge about threats, methods and tools used for protecting information and IT assets
- Lead an organization’s information security program with holistic and business enabling perspectives
- Articulate and uphold the vision, needs and mission of an organization’s information security program
- Create a culture of cybersecurity by promoting cybersecurity literacy and awareness
- Secure business and clinical operations without hampering productivity