From the January/February 2018 issue of HealthCare Business News magazine
Social media has really helped these efforts, showing the severity of these attacks happening worldwide. This has led employees from across the enterprise to ask what are we doing and working from security and privacy perspectives. It is an advantage to have an entire organization care about what we are doing to secure our network and protect the privacy of the patient data entrusted to us.
HCB News: What advice would you give to another health care organization as they begin to focus on cybersecurity?
I advise organizations to start with a strategic review to understand where the vulnerabilities and risks exist. A strategic review will be essential in developing a strategic plan. Strategic reviews need to happen separately, looking from a security perspective, then vulnerability and state of the network assessments.
These assessments need to address patches and how servers are updated, coordination of equipment pulse checks, how are we handling vendors and their access to the network and patient data. We must determine how we are auditing who is in the network and how they're getting in. Additionally, we have to determine our internal literacy level, and ask if our people are aware of what phishing attacks are, are they aware of what they're doing when they're plugging in their BYOD device.
Organizations must understand you can have security without privacy, but you can't have privacy without security. Privacy and every privacy legislation is based on a framework and those frameworks have safeguards involved that are both physical and technical to protect personal information and sensitive health information from unauthorized collection, use, disclosure and disposal.
The biggest piece of advice is to move forward. We must go beyond talking and planning and put these policies and plans into action. But policies must be continually assessed in a way where you walk through use cases of potential attacks and how to involve various organization areas.
HCB News: What do you think the future of health care cybersecurity will look like?
I believe the future of cybersecurity and patient privacy in health care will be more comprehensive in terms of every organization having a strategic plan they put into place and review annually. In conjunction with these plans, I think we will see expanded and enhanced auditing, both from a patient privacy and security perspective, which will provide clear pictures of who is accessing patient records, as well as how that data is being secured.