Declaring a strategic objective, naming a CISO, maintaining a separate budget, board involvement and strict vendor scrutiny are just a few crucial points, cybersecurity experts say.
As worldwide cyber threats shut down organizations and violate privacy left and right, hospitals and health systems need to make sure their cybersecurity strategies are primed to keep them ahead of the threats. It’s the only way to ensure that an organization can stay up and running while protecting its patients’ privacy and even their well-being.
Progressive health systems see the value of cybersecurity as providing a competitive advantage and ensuring better patient care, said Rich Curtiss, a managing consultant at Clearwater Compliance who specializes in cybersecurity and health data risk management.
“However, considering the healthcare sector is woefully behind in adopting information technology, it is difficult to see a horizon that is able to keep up with the velocity of cybersecurity threats,” Curtiss said. “There are a few areas where health systems should be focused on.”
These areas, according to Curtiss, include the need for health systems to establish cybersecurity as a strategic objective that is defined and managed by the C-suite and has board of directors involvement. This would include assessment of information risk metrics to drive improvements.
“Information risk management will inform many decisions that require organizational prioritization and ensure the C-suite and board are well-informed on threats, vulnerabilities and risks that may adversely impact the organization,” he said.
Health systems also need to isolate the information security workforce from the information technology workforce to ensure adequate separation of duties and avoid conflicts of interest, Curtiss said. And health systems, he added, must establish a chief information security officer who reports to the COO and CEO; this is a critical step in maintaining vigilance and ensuring information security gets a seat at the table.
And finally, a separate budget and spend plan for cybersecurity improvements and maintenance will ensure competing IT or clinical priorities do not erode the ability to effectively address the cybersecurity environment, Curtiss said.
The vendors behind the information technology that weaves together today’s health systems play a big part in the cybersecurity strategies health systems need to hone.
“Hospitals and health systems must be rigorous in assessing the privacy and security controls of the vendors with which it contracts, include robust business associate agreements as part of the vendor contract, and ensure that the vendors have the financial wherewithal to back their contractual obligations,” said Pam Hepp, a shareholder at Buchanan, Ingersoll & Rooney who specializes in data security, HIPAA and patient privacy.
However, provider organizations have not tended to do a good job vetting many of these vendors, largely due to the fact that CIOs, CISOs and privacy officers are not always made aware of all of an organization’s vendor arrangements; nor do these executives have the resources to devote to assessing each such vendor, Hepp said.
Moving into the future, provider organizations must continue to be proactive to identify risks and vulnerabilities, take reasonable actions to address known risks, continue to educate staff, remain vigilant and promptly take action to address issues that do occur by undertaking remedial measures, provide notices where appropriate, and learn from each incident, Hepp said.
“But much more needs to be done with respect to vendor management,” she added. “Healthcare organizations need to recognize the risk presented by these vendor arrangements and devote appropriate resources or they may be exposed to even greater financial – as well as reputational – risk that may occur in connection with either a significant operational disruption and/or an OCR enforcement action should an issue occur that the organization easily could have or should have identified and addressed.”
But information security is not simply a compliance issue.
“CIOs, CISOs and CCOs need to drop the compliance mindset and realize that information security is necessary to ensure the availability of critical patient care information systems and medical devices,” he concluded. “Diverting patients to another hospital due to an uncontrolled and unmanaged malicious software event is unacceptable now and in the future.”