- Healthcare data security is no longer an issue relegated to the IT department, especially as technology becomes more prevalent throughout organizations.
This is why CIOs and CISOs need to understand what the key privacy and security issues are, and how they can best work toward overcoming them.
Impact Advisors, LLC recently released the results of a CIO Summit report, which found that board and leadership involvement is essential in creating the right solutions and strategies for healthcare organizations. Impact Advisors Principal Rob Faix told HealthITSecurity.com that there are an infinite number of ways the security angle can be pursued.
However, it is important for organizations to understand that information security is the ultimate cat and mouse game. This is not a situation where you implement a technology and then declare a victory. There will always be a new threat, which is why it is important to continually monitor what is going on in the IT world.
HealthITSecurity.com: What are some of the top issues for CIOs and CISOs going into 2016 in terms of privacy and security?
Rob Faix: One of the top issues that CIOs and CISOs are going to be looking at from an exposure prospective is going to be their biomedical devices. These are devices that in some organizations are managed within the IT department, and in others they are not. Most often, if they’re outside of IT they’re associated with the facility’s department. These devices, with increasing frequency are being identified as potential exposures for breaches. One of the biggest challenges they face is the maintenance programs. A lot of these devices are FDA regulated, and therefore, changing or updating the operating system that underline the devices is a lot more challenging because any changes to these devices need to be approved by the FDA through the vendor themselves. So there’s a bit of a lag in the amount of time available, or required, to apply patches as vulnerabilities are identified.
A second challenge that CIOs and CISOs are going to be dealing with, and continue to deal with, is simply the prevalence and volume of information assets. Managing the location of data throughout their enterprise and ensuring that all of the end point devices are maintained and updated from a security patches perspective. There are tools in place, and a lot of organizations continue to invest in technology, but an opportunity exists in organizations to ensure that any technologies that they are purchasing are properly implemented, properly configured and in an ongoing basis maintained. Most importantly, their staff also needs to be well trained on the proper use of the tool. Organizations will invest in technology but you really need to make sure that the staff that is responsible for maintaining and operating that technology understand how to properly use it and are given the time and investment in their education to ensure that it’s properly used. Otherwise, the dollars have been wasted.
HealthITSecurity.com: Why is it important to have board and C-suite leadership involvement in creating solutions and strategies for healthcare privacy and security?
RF: Executive leadership going forward is going to be absolutely essential, and the one thing I will say is that I’m very encouraged by the amount of dialogue and interest that I’m seeing by executives, leadership, and boards of directors of organizations that I work with. Security very clearly is a top of mind item with all of these executive groups. Their leadership and guidance in the security arena is just as important as any other enterprise initiative. Obviously, in healthcare we’re very focused on delivering high quality cost effective health solutions to patients, but we now are seeing executive leadership view security as another essential business component to the operations of their organizations. We understand there are high stakes. There’s a lot of potential exposure that can be created through a data breach, and the visibility in the press and through the ONC requiring disclosures of security breaches over a certain size bring a lot of unwanted visibility to organizations. These are things obviously that catch the eye of senior leadership. Their interest is continuing to increase, and it’s higher than I’ve ever seen it.
When I meet with senior leadership and boards of directors, my best advice to them is to view their security strategy just as they would any other business strategy in their enterprise. It is that important. This is no longer “an IT problem.” Everybody needs to have a security mindset. But that tone really does start from the top.
HealthITSecurity.com: How do budget implications impact security strategies?
RF: As I work with clients, organizations tend to fall into two different buckets. There’s the proactive and the reactive. From a security perspective, that can be very obvious. Organizations that are proactive and looking for opportunities to improve their security posture are going to naturally increase their security budget perhaps by 2 or 3%. Other organizations may be much more aggressive, and even get into double digit increases in their security budget. And again, the key of that investment is you’re purchasing technologies that are appropriate for your organization, are implemented properly, and staff that operates them is well trained. It’s not just a “throw them in and forget it” type of situation. The proactive organizations are taking pragmatic steps to identify exposures, identify technical solutions, find technology solutions to fill those voids, and properly implement them.
The converse of this is the reactive organization that perhaps for some period of time has known and been lucky that they’ve not had a breach but they were aware of an exposure and unfortunately time caught up with them. In that case, those organizations in a reactive mode are very quickly assessing the damage, assessing the vulnerability, throwing the solution in, and implementing a solution very quickly. In those particular cases, while it may stop the leak, the damage has already been done. Honestly, in the reactive mode, there’s a lot longer, more costly remediation path that needs to be taken. An ounce of prevention is really worth a pound of cure.
Obviously, it’s clear which one you want to be in – the prevention side. You can really tell a lot about an organization’s potential vulnerability or level of vulnerability by its IT security spend. There is somewhat of a correlation that can be derived in the term of investment of dollars in security and the individuals that they have in key roles. That’s another key point here: having well-trained, properly qualified, security-minded individuals in that CISO role and on the organizational chart, ensuring that they are in a place of proper influence.
HealthITSecurity.com: How have connected devices and BYOD strategies affected privacy and security?
RF: Connected devices, and BYOD strategies specifically, are certainly influencing the security landscape. Fortunately, when properly implemented, there are a lot of good tools and technologies out there that can secure devices that are personally owned yet are on the corporate network. One of the key points here is it’s essential that organizations adhere to their policies. You become vulnerable when you begin to introduce exceptions. For example, an organization may have spent a fair amount of money on a technology for securing personally owned devices on the corporate network. However, the first time that any individual circumvents that solution with an exception approval, be it an executive or an influential physician, the first time that policy is granted an exception, an exposure has been created.
I’m confident that when properly implemented, mobile device management solutions that are designed to secure BYOD devices can work very effectively in an enterprise. BYOD is a strategy that’s here to stay. Technologies exist to ensure the security of these devices, but they’re only as good as the technology is implemented, and as the policy is adhered to.
HealthITSecurity.com: What are key takeaways for CIOSs and CISOs following large scale data breaches?
RF: The first thing is, let’s make sure that we understand exactly what occurred. During an event, whether it’s a large scale event or a small scale event, there is a rush to plug the gap. We need to make sure that we understand exactly what occurred. The moment that the source of the breach is identified, an organization must move quickly to isolate it. And in that isolation activity, one of the biggest problems you need to be aware of is to not make the situation any worse, or to over or under estimate it.
The key here is to make decisions that are based on the facts in front of you. There’s going to be a great interest in solving the problem very quickly. In doing so, details can be overlooked and assumptions can be made that ultimately prove to be false. During a breach of any size, those events should be handled just like any unplanned downtime event. They need to be managed appropriately as an incident and organizations need to deal with the facts as level headed and calmly as possible.
Your incident response program includes appropriate executive management, business clinical leaders, HR, and your corporate communications department. Your incident response program should be enacted like any other response but you have a responsibility on the back end to be very transparent. Once the findings have been identified, the organization needs to quickly implement remediation recommendations and then work through the proper channels, whether it’s law enforcement or the ONC to ensure that proper disclosures are submitted.