Tackling health IT challenges with a proven risk management strategy

By Gerry Blass and Jason Tahaney

Gerry Blass (gerry@complyassistant.com) is President and CEO at ComplyAssistant in Iselin, NJ, and Jason Tahaney (jason.tahaney@comop.org) is Director of Technology at Community Options Inc. in Princeton, NJ.

Whether we want to believe it or not, healthcare data breaches are prevalent throughout the industry. Even more alarming, an evaluation of recent cyber and ransomware attacks indicates that the size or type of healthcare organization is immaterial to would-be attackers. Hospitals, clinics, long-term and elderly care providers, dental and optometry practices, plastic surgeons, and medical testing facilities have all experienced cyberattacks since 2016.[1] In fact, a Ponemon Institute study cited that 89% of healthcare organizations have experienced a data breach.[2]

Malware, ransomware, phishing attacks, third-party vendor negligence, insider fraud, improper data access and disposal—all common sources of data breaches—can wreak havoc on a health system’s daily operations, negatively affect patient care, and threaten the safeguarding of protected health information. Ransomware attacks, one of the fastest-growing cybersecurity threats, are expected to quadruple by the end of 2020.[3]

In this article, we will use this analysis of the current healthcare cybersecurity landscape to:

  • Explore the most threatening risks in healthcare information technology (IT) and cybersecurity;

  • Discuss the critical role of a chief information security officer (CISO) in developing and maintaining strategic direction;

  • Identify the essential components of a comprehensive risk management strategy required to protect healthcare organizations from common security and compliance inconsistencies; and

  • Apply real-life strategies—including governance, oversight, data analysis, and field observation—to identify and respond to risk, maintain transparency, set budgets, and effectively track risk registries, assessments, and the mitigation process.

Healthcare cybersecurity challenges and risks

CISOs and other healthcare IT leaders experience a complex and constantly evolving set of challenges every day. The digitization of healthcare has had an exponentially significant impact on the value of healthcare data over the past two decades. Let’s explore the most common scenarios that cause inherent high risk at healthcare organizations.

Data silos everywhere

Continued merger and acquisition activity throughout the healthcare industry has led to a ubiquitous presence of data silos. The result of such operational changes yields a complex portfolio of systems that typically do not talk to each other. The merged organization ends up with a variety of software, which requires more servers, more configuration, more interface engines, more related patient systems, and more third-party vendors. All of these applications and systems are their own data silos, leading to an inventory of unstructured data and an associated high inherent risk. Providers are beginning to move data to the cloud using software-as-a-service models, which can improve overall data security.

Legacy electronic medical record applications

Legacy electronic medical record applications were written in the late 1990s with very little built-in security. Many of these are still in production today. But to meet current data security standards, the technology must be compatible with newer applications and systems. As a result, IT and security teams are left with developing their own workarounds to secure gaps with legacy systems.

Limited qualified staff

Healthcare has generally lagged behind other industries in funding and staffing for cybersecurity. According to a 2017 Thales data threat report, nearly 40% of healthcare organizations surveyed said they lack the staff to manage cybersecurity defenses.[4] Chuck Brooks, former legislative director of the Science & Technology Directorate at the Department of Homeland Security, states, “Cybersecurity workforce training of a next generation of technicians and SMEs will continue to be both a challenge and a priority in 2020. The risk environment is growing every day and there have not been enough resources [3 million talent shortage] dedicated to keeping up with governments’ cybersecurity requirements…. As connectivity permeates every aspect of our lives, being cyber secure is an imperative and developing more cybersecurity workers is critical to cybersecurity success.”[5]

Lack of an empowered CISO

Too often in healthcare we see that cybersecurity is assigned to the operational directors of IT. This organizational structure does not allow for the proper checks and balances needed to properly find, document, and report security threats. In this structure, the CISO is generally not empowered to audit IT controls or to provide unbiased feedback that would affect IT operations, leading to potential conflicts of interest or undue political pressure to whitewash audit results.

Misconceptions about cybersecurity insurance

Healthcare leaders may fall into a trap by thinking, “We have cyber insurance, so we’re covered if anything happens.” However, like other types of insurance, cyber insurance will not protect healthcare organizations that are negligent in performing security controls and policies. Cyber insurance will mitigate the majority of the more expensive costs related to cybersecurity breaches, but it does not typically cover all costs related to reputational harm, loss of business, business continuity, or regulatory authority audits.

Lack of a working governance model

Without executive oversight and governance, cybersecurity efforts tend to go unfunded. Healthcare organizations that lack an IT governance model may not have a transparent understanding of all security risks, and therefore do not have all the information required to make informed decisions on how to prioritize risk mitigation efforts. In addition, lack of governance impedes the growth of an enterprise culture of compliance where all departments share in the education, training, and enforcement of cybersecurity processes.

Insufficient workforce training

How many healthcare organizations are prepared to deal with risks that are constantly changing and evolving, especially when many attacks prey on unsuspecting employees? According to providers surveyed in a Ponemon study, 54% of healthcare associates say their biggest problem is employee negligence in the handling of patient information.[6] Leaders must prepare to continually train employees on cybersecurity processes and procedures.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings