February 7, 2018
Editors note: The following blog was authored by Navneeta Rathor, Dr. Mansur Hasib Has reviewed and approved the content. Navneeta is currently pursuing a Master’s degree in Cybersecurity at UMBC. During her study of cybersecurity leadership and risk management under the guidance of Dr. Hasib, Navneeta analyzed several major organizations and their breaches and wrote recommendations. She has extensive experience working in healthcare and was a practicing physician in India.
This blog complements the February 27, 2018 webinar, “The Need for Dynamic Compliance in Healthcare”, featuring 2017 Cybersecurity People’s Choice Award and 2017 Information Governance Expert of the Year Award winner, Dr. Mansur Hasib.
Healthcare organizations will continue to be at high risk for cyberattacks and intrusions due to a higher financial payout for medical records in the black market. Earlier this year, the Health Care Industry Cybersecurity Task Force pointed out that, despite the increase in both the number and severity of cybersecurity threats, healthcare organizations were generally under-prepared to meet the information governance challenges. Many healthcare organizations are not adequately prepared to combat even basic types of cyber-threats, let alone more sophisticated attacks that are cropping up. So, what needs to change?
Cultural & Technical Misalignment: Why Healthcare Security Practices Lag
Healthcare security has been hampered by constrained spending, pervasive use of legacy devices that were not designed to resist or recognize modern cyber-attacks, a lack of understanding of the cybersecurity risks, as well as limited education and awareness training for healthcare workers.
At too many healthcare organizations, fundamental security controls are absent or immature. For instance, lack of adequate privileged access controls played a key role in the Anthem breach of 80 million records. Enforcing least privilege access is a cornerstone security concept. Healthcare organizations should implement privilege management controls to restrict user access to only necessary and approved functions.
Understandably, most healthcare providers spend a majority of their financial and personnel resources to deliver as superior care as possible to as many patients as possible. Often times, this spending crowds out potential investments that could occur to improve risk management in ways that would support their mission, and ultimately, provide better patient care and data protection. Consequently, the impact of cybersecurity threats on the healthcare sector continues to be severe.
Balancing Openness & Collaboration with Best-Practice Security
To respond to critical care issues quickly while maintaining a seamless workflow, healthcare personnel may leave workstations unlocked and unattended. While leaving workstations unlocked improves the speed with which a provider can access the patient’s information and identify potentially lifesaving allergies or drug interactions, these practices could lead to the loss, unauthorized access, or alteration of patient data.
Therefore, such cultures are at odds with the issues of security and privacy. Speed and expediency in access to information quickly to provide patient care must be balanced with the safety and security of patient protected health information (PHI) and the systems supporting patient care. Electronic health records (EHRs) make it entirely too easy to access and pilfer this sensitive data.
Treating Cybersecurity as a Key Pillar for Better Healthcare Delivery
The idea that appropriate cybersecurity practices are a central component of a digital strategy that is critical to the organizational mission has yet to be fully embraced across healthcare. Members of the healthcare industry report that absent experiencing a security incident, such as a data breach, organizations struggle to grasp the basics of cybersecurity protections, let alone advancing a proactive and continuous risk mitigation strategy that will actually save money and shield against reputational damage in the long-term. Such a transformation in organizational culture will require increased backing from executive leadership, as well as changes in the way providers perform their duties in clinical environments.
When we examine the major breaches in healthcare, such as MedStar and Anthem, we find governance failures and lack of CEO and CIO engagement with regards to data protection and security. Subsequently, we see that the organizations also lacked a culture of proper cybersecurity hygiene throughout all layers. Dr. Craig DeAtley the director of emergency preparedness at MedStar said that one should be prepared for such kinds of attacks and that they knew it was coming. Yet, MedStar proved ill-prepared. MedStar practiced an open and collaborative culture because the organization felt such a culture supported its primary mission, but, as a consequence, proper security controls suffered.
An effective, and necessary, strategy to boost cybersecurity posture at healthcare organizations is for CEOs (and others in executive leadership) to understand and own that cybersecurity risks are business risks. Ultimately, the path to better healthcare cybersecurity is neither mysterious nor overly complicated—it requires an embrace of cybersecurity and information governance as an enabler to embed best practices throughout the organization.
Need to evolve your cybersecurity practices to improve security and compliance, while supporting better healthcare delivery and innovation? Tune in to this webinar, featuring 2017 Cybersecurity People’s Choice Award and 2017 Information Governance Expert of the Year Award winner, Dr. Mansur Hasib. Also get key insights into what complying with healthcare regulations will mean to your privileged access management, insider threat monitoring, and vulnerability management programs.
This blog complements the February 27, 2018 webinar, “The Need for Dynamic Compliance in Healthcare”, featuring 2017 Cybersecurity People’s Choice Award and 2017 Information Governance Expert of the Year Award winner, Dr. Mansur Hasib.
