Essentials: A Cybersecurity Strategy For Healthcare

As worldwide cyber threats shut down organisations and violate privacy left and right, hospitals and health systems need to make sure their cybersecurity strategies are primed to keep them ahead of the threats. 

A Cybersecurity Strategy is the only way to ensure that an organisation can stay up and running while protecting its patients’ privacy and even their well-being.

Progressive health systems see the value of cyber-security as providing a competitive advantage and ensuring better patient care, said Rich Curtiss, a managing consultant at Clearwater Compliance who specialises in cyber-security and health data risk management. “However, considering the healthcare sector is woefully behind in adopting information technology, it is difficult to see a horizon that is able to keep up with the velocity of cyber-security threats,” Curtiss said. “There are a few areas where health systems should be focused on.”

These areas, according to Curtiss, include the need for health systems to establish cyber-security as a strategic objective that is defined and managed by the C-suite and has a board of director’s involvement. This would include assessment of information risk metrics to drive improvements. “Information risk management will inform many decisions that require organisational prioritisation and ensure the C-suite and board are well-informed on threats, vulnerabilities and risks that may adversely impact the organisation,” he said.

Health systems also need to isolate the information security workforce from the information technology workforce to ensure adequate separation of duties and avoid conflicts of interest, Curtiss said. And health systems, he added, must establish a chief information security officer who reports to the COO and CEO; this is a critical step in maintaining vigilance and ensuring information security gets a seat at the table.

Finally, a separate budget and spend plan for cyber-security improvements and maintenance will ensure competing IT or clinical priorities do not erode the ability to effectively address the cybersecurity environment, Curtiss said. The vendors behind the information technology that weaves together today’s health systems play a big part in the cyber-security strategies health systems need to hone. “Hospitals and health systems must be rigorous in assessing the privacy and security controls of the vendors with which it contracts, include robust business associate agreements as part of the vendor contract, and ensure that the vendors have the financial wherewithal to back their contractual obligations,” said Pam Hepp, a shareholder at Buchanan, Ingersoll & Rooney who specialises in data security, HIPAA and patient privacy.

However, provider organisations have not tended to do a good job vetting many of these vendors, largely due to the fact that CIOs, CISOs and privacy officers are not always made aware of all of an organisation’s vendor arrangements; nor do these executives have the resources to devote to assessing each such vendor, Hepp said.

Moving into the future, provider organisations must continue to be proactive to identify risks and vulnerabilities, take reasonable actions to address known risks, continue to educate staff, remain vigilant and promptly take action to address issues that do occur by undertaking remedial measures, provide notices where appropriate, and learn from each incident, Hepp said. “But much more needs to be done with respect to vendor management,” she added. 
“Healthcare organisations need to recognise the risk presented by these vendor arrangements and devote appropriate resources or they may be exposed to even greater financial, as well as reputational, risk that may occur in connection with either a significant operational disruption and/or an OCR enforcement action should an issue occur that the organization easily could have or should have identified and addressed.”

But information security is not simply a compliance issue. “CIOs, CISOs and CCOs need to drop the compliance mindset and realise that information security is necessary to ensure the availability of critical patient care information systems and medical devices,” he concluded.  

“Diverting patients to another hospital due to an uncontrolled and unmanaged malicious software event is unacceptable now and in the future.”

Healthcare IT News

You Might Also Read:

A New Form Of Ransomware Attacks UK Hospital:

Insiders Are The Cause Of Most Healthcare Breaches:

 

« Cyber Vulnerability Affecting 745,000 Pacemakers
Will The CIA Be Run By Robots…? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Protective Intelligence

Protective Intelligence

Protective Intelligence brings together a group of information security specialists with a passion for delivering high-quality solutions.

TrustedIA

TrustedIA

TrustedIA is a cyber and protective security company. Our mission is to help businesses protect themselves from disruptive events that can impact their successful operation.

Protiviti

Protiviti

Protiviti consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.

RevenueStream

RevenueStream

RevenueStream uses an innovative algorithmic approach to intercept and prevent payment fraud before it even happens.

Nouveau

Nouveau

Nouveau Solutions is a specialist IT managed services company with a strategic focus on delivering cloud, infrastructure, compliance, network and security solutions.

Mitre

Mitre

At Mitre we work across government to tackle challenges to the safety, stability, and well-being of our nation. Areas of expertise include Cybersecurity.

Fraud.com

Fraud.com

Fraud.com ensures trust at every step of the customer's digital journey; this complete end-to-end protection delivers unified identity, authentication and fraud detection and prevention.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

RiskRecon

RiskRecon

RiskRecon makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all of your third parties.

European Cyber Competence Network

European Cyber Competence Network

The purpose of the European Cyber Competence Network is to retain and develop the cybersecurity technological and industrial capacities of the EU necessary to secure its Digital Single Market.

ENSCO

ENSCO

The ENSCO group of companies provides engineering, science and advanced technology solutions that guarantee mission success, safety and security to governments and private industries worldwide.

South East Cyber Resilience Centre (SECRC)

South East Cyber Resilience Centre (SECRC)

The South East Cyber Resilience Centre supports and helps protect SMEs and supply chain businesses and third sector organisations in the region against cyber crime.

Airgap Networks

Airgap Networks

Airgap is fixing the fundamental flaw of excessive trust. We help enterprises modernize their network for a simple and secure infrastructure.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

Cyber Security Council UAE

Cyber Security Council UAE

The Cyber Security Council's vision is to protect UAE cyberspace, maintain confidence in our digital infrastructure and institutions, and build a cyber-resilient society.

Vigilant Ops

Vigilant Ops

Vigilant Ops is a leader in Software Bill of Materials (SBOM) Automation. A proactive approach to cybersecurity with continuous vulnerability monitoring.