- Being proactive in healthcare IT security means picking out risks before incidents occur, not after the fact. But the challenge is that potential risks are spread across a variety of areas within a healthcare organization. Blair Smith, Ph.D. Dean, Informatics-Management-Technology (IMT) at American Sentinel University, spoke with HealthITSecurity.com about security considerations for healthcare organizations.
Smith was a professional IT consultant for a number of years and for the last 15 years was with the University of Phoenix, including the last five as the Dean of Information Systems prior to joining American Sentinel. With heavy experience in disaster recovery planning and said he always considered security a heavy risk area.
What are some major security risks within healthcare at the moment?
When I look at IT security for healthcare organizations, it’s not that much different from what many other retail or manufacturing organizations in that it’s a prominent topic. The key is to understand and identify areas of risk and potential exposure, and it’s where the HIPAA rules for risk assessment become very important. BYOD, for example, has its risks and benefits but from an industry perspective, the access to data housed [on the device] would be a concern.
Similarly, cloud security opens another external pathway for data to possibly be exposed to a number of different risks such as inappropriate data access and loss. As we use more mobile devices, whether it’s a smart phone or tablet, those types of things really present a wide range of issues for security personnel. And what we’re seeing today is more hackers and outside threats bringing exposure and risks to organizations. For example, there’s the subject of single sign on (SSO) and how to have effective security controls while maintaining convenience. The idea is to move beyond prevention security to proactive response technology. How do we quickly mitigate and take care of any exposures.
What about internal risks such as rogue employees?
Certainly we do have concerns around internal employees because there may be intentional or malicious types of errors or data theft, including unencrypted data being sent through an employee’s personal email. It is common for healthcare and other industries to struggle in these areas and there needs to be [security] education for these professionals through degrees and certifications.
Speaking of certifications, is there really a healthcare IT talent shortage?
It’s an interesting question because some have debated whether there’s actually a shortage or whether it’s a shortage of qualified people at the right price. There are certifications such as (ISC)2′s CISSP certification, but I was glad to see a few years ago that it began offering an associate of (ISC) certificate so that people can sit through a test without the experience can use their knowledge and then once they have the experience they can complete their certification. But areas such as penetration detection and being able to remove those infections require experience and some security professionals may demand salaries north of $200,000, which may be hard for some organizations to take on. The question becomes what are the best resources for the organizations and how do they build their security programs.
Items such as the Office of the National Coordinator for Healthcare Information Technology (ONC) HIPAA Risk Assessment tool or the HITRUST Common Security Framework (CSF) can be helpful, but organizations are looking for people who can lead and manage as well as those who can do the “dirty work” of trying to figure out what happened and how to mitigate any residing infections.
This is an emerging field that’s so broad and ever-changing that it can be overwhelming. I’ve found that it’s important for organizations to work with vendors that they can depend on. It’s prudent to spend that money because the cost of an exposure is harmful to patients that trust the organization and there’s the bad PR that follows.