Essentials: A Cybersecurity Strategy For Healthcare

Uploaded on 2017-09-13 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

As worldwide cyber threats shut down organisations and violate privacy left and right, hospitals and health systems need to make sure their cybersecurity strategies are primed to keep them ahead of the threats. 

A Cybersecurity Strategy is the only way to ensure that an organisation can stay up and running while protecting its patients’ privacy and even their well-being.

Progressive health systems see the value of cyber-security as providing a competitive advantage and ensuring better patient care, said Rich Curtiss, a managing consultant at Clearwater Compliance who specialises in cyber-security and health data risk management. “However, considering the healthcare sector is woefully behind in adopting information technology, it is difficult to see a horizon that is able to keep up with the velocity of cyber-security threats,” Curtiss said. “There are a few areas where health systems should be focused on.”

These areas, according to Curtiss, include the need for health systems to establish cyber-security as a strategic objective that is defined and managed by the C-suite and has a board of director’s involvement. This would include assessment of information risk metrics to drive improvements. “Information risk management will inform many decisions that require organisational prioritisation and ensure the C-suite and board are well-informed on threats, vulnerabilities and risks that may adversely impact the organisation,” he said.

Health systems also need to isolate the information security workforce from the information technology workforce to ensure adequate separation of duties and avoid conflicts of interest, Curtiss said. And health systems, he added, must establish a chief information security officer who reports to the COO and CEO; this is a critical step in maintaining vigilance and ensuring information security gets a seat at the table.

Finally, a separate budget and spend plan for cyber-security improvements and maintenance will ensure competing IT or clinical priorities do not erode the ability to effectively address the cybersecurity environment, Curtiss said. The vendors behind the information technology that weaves together today’s health systems play a big part in the cyber-security strategies health systems need to hone. “Hospitals and health systems must be rigorous in assessing the privacy and security controls of the vendors with which it contracts, include robust business associate agreements as part of the vendor contract, and ensure that the vendors have the financial wherewithal to back their contractual obligations,” said Pam Hepp, a shareholder at Buchanan, Ingersoll & Rooney who specialises in data security, HIPAA and patient privacy.

However, provider organisations have not tended to do a good job vetting many of these vendors, largely due to the fact that CIOs, CISOs and privacy officers are not always made aware of all of an organisation’s vendor arrangements; nor do these executives have the resources to devote to assessing each such vendor, Hepp said.

Moving into the future, provider organisations must continue to be proactive to identify risks and vulnerabilities, take reasonable actions to address known risks, continue to educate staff, remain vigilant and promptly take action to address issues that do occur by undertaking remedial measures, provide notices where appropriate, and learn from each incident, Hepp said. “But much more needs to be done with respect to vendor management,” she added. 
“Healthcare organisations need to recognise the risk presented by these vendor arrangements and devote appropriate resources or they may be exposed to even greater financial, as well as reputational, risk that may occur in connection with either a significant operational disruption and/or an OCR enforcement action should an issue occur that the organization easily could have or should have identified and addressed.”

But information security is not simply a compliance issue. “CIOs, CISOs and CCOs need to drop the compliance mindset and realise that information security is necessary to ensure the availability of critical patient care information systems and medical devices,” he concluded.  

“Diverting patients to another hospital due to an uncontrolled and unmanaged malicious software event is unacceptable now and in the future.”

Healthcare IT News

You Might Also Read:

A New Form Of Ransomware Attacks UK Hospital:

Insiders Are The Cause Of Most Healthcare Breaches:

 

« Cyber Vulnerability Affecting 745,000 Pacemakers
Will The CIA Be Run By Robots…? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

InteliSecure

InteliSecure

InteliSecure offer Professional Services, Security Assessments and Managed Services for data and threat protection.

North American Electric Reliability Corporation (NERC)

North American Electric Reliability Corporation (NERC)

NERC is a not-for-profit international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America.

NetMonastery DNIF

NetMonastery DNIF

NetMonastery is a network security company which assists enterprises in securing their network and applications by detecting threats in real time.

Viasat

Viasat

Viasat is a provider of high-speed satellite broadband services and secure networking systems covering military and commercial markets.

Quaynote Communications

Quaynote Communications

Quaynote Communications is a specialist conference and communications company focused primarily on the maritime, yachting, aviation and security industries.

IOTA Foundation

IOTA Foundation

The IOTA Foundation is a non-profit R&D organisation focused on developing the next generation of protocols for the connected world.

C2A Security

C2A Security

C2A Security offers a comprehensive suite of cyber security solutions for the automotive industry, providing in-vehicle end-to-end protection.

Liquid Technology

Liquid Technology

Liquid Technology provide DOD- and NIST-compliant data destruction and EPA-compliant e-waste disposal and recycling services throughout North America, Europe and Asia.

QuillAudits

QuillAudits

QuillAudits offers advanced Ethereum, EOS, TRON smart contract audit, blockchain protocol security and formal verification to ensure your platform’s integrity.

Intrinium

Intrinium

Intrinium is an Information Technology and Security Solutions company, providing comprehensive consulting and managed services to businesses of all sizes.

Telefonica Global Solutions (TGS)

Telefonica Global Solutions (TGS)

Telefonica Global Solutions is the technological partner of wholesalers and enterprises, helping them to achieve the digitalization they need.

Stronger International

Stronger International

Stronger International provides expert cyber services and training to organizations and individuals to enhance IT and security knowledge.

Salem Cyber

Salem Cyber

Salem Cyber builds Artificial Intelligence (AI) solutions that work collaboratively with people to address scalability challenges in cybersecurity operations.

Wib

Wib

Wib is an API security leader. We are the only company providing a solution for the entire API development lifecycle.

National Renewable Energy Laboratory (NREL) - USA

National Renewable Energy Laboratory (NREL) - USA

NREL is transforming energy through research, development, commercialization, and deployment of renewable energy and energy efficiency technologies.

EyBrids

EyBrids

As a forward-thinking cybersecurity consulting firm, we believe that robust security is the foundation for innovation and growth in today’s digital landscape.