Change in Mindset Necessary for Stronger Information Security in Healthcare
By Mark Fulford, LBMC Shareholder
Compliance is king, but that's not how it should be. Since the introduction of HIPAA in 1996, the healthcare field has centered data privacy and security efforts around compliance. If all the boxes were checked and organizations received a passing compliance report, everything was "all good."
The problem is, this led healthcare organizations to the false belief that as long as they're compliant with the HIPAA rules, their systems are secure. Unfortunately, as we generally know today, that's not true. This perspective can be problematic in any field, but it's especially damaging in the healthcare industry. Here's why:
The HIPAA Security Rule became mandatory for use by providers, payers, and clearinghouses in 2005, and even with the additional features of the HITECH Act and the more recent HIPAA Omnibus Rule, the actual HIPAA requirements around security have not changed much. For perspective, the first iPhone wasn't released until 2007. If companies are basing their security posture on a framework that's 13 years old, it shouldn't be a surprise that those organizations ... while compliant ... might not be secure.
"It's time now to really begin to pay more attention to our security programs holistically instead of being so compliance-focused," said Mark Johnson, shareholder at LBMC and leader of the healthcare security practice.
Johnson underscored the fact that companies shouldn't ignore compliance wholesale but should focus their efforts on the threats their organizations are truly facing -- not the checkboxes that come with a HIPAA audit. But, as many are already aware, this is certainly easier said than done for many organizations.
"Security is one of those things that you're never done with. It's not a project that you can say, 'Okay, we've reviewed our security plans and procedures, and we've implemented this technology, and we're good," noted Johnson.
Beyond that, it also can be difficult to get a board to see the importance of cybersecurity, because there's no clear ROI. However, according to Johnson, boards are asking the wrong questions if they're looking for the ROI on information security.
Johnson said he believes organizations need to stop asking, "What's the return on our investments in our cybersecurity efforts?" and start asking, "How much are we avoiding losing with our cybersecurity efforts?"
This is especially true as healthcare reimbursement systems trend toward outcome-based reimbursement, meaning quality of care, patient satisfaction, readmission rates, and other metrics are playing a larger role into how providers are reimbursed. In these circumstances, with healthcare's ever increasing reliance on technology to deliver, monitor, and document care, systems availability and data integrity are more important than ever to bottom lines in the healthcare ecosystem. Information security, in this context, goes well beyond the historical focus on maintaining confidentiality to protect patient privacy.
So, what can be done? How should a healthcare company responsibly handle information security?
It starts with a change in mindset.
Compliance can no longer be king. Instead, healthcare companies must adopt information security as their new ruling principle. As a benefit, aiming for security will likely lead to compliance, whereas the opposite is not always true, as discussed above.
Regardless of the level of sophistication, most (if not all) information security programs start at the same place - awareness. Organizations must know what their threats are. They must know where their assets are, and they must also know the vulnerabilities associated with those assets. After that, they should develop a plan to close those vulnerabilities and educate users on threats.
The problem is that developing and maintaining a robust information security program requires vigilance, and, per Johnson, "Most small and medium-sized organizations just don't have the resources to do that internally." Because of this, Johnson added, "We've seen an increase in people thinking about outsourcing cybersecurity now."
If considering this avenue, it's important to be aware that outsourcing IT is not the same as outsourcing cybersecurity. While an outsourced IT team (commonly referred to as an MSP - managed service provider) typically makes sure systems are running appropriately and that they're patched regularly, they might not be contracted ... or have the expertise and experience ... to monitor those systems or ensure their security in an ongoing manner.
If looking for that level of service, consider an MSSP (managed security services provider). These types of vendors focus on security and can provide a higher level of assurance for information security programs.
"Many organizations are doing better work around security now than they used to, but there's still a lot of room for improvement," said Johnson.
When looking for a place to start improving company-wide awareness of the security program, a risk assessment is the perfect starting point. It will help identify some of the most important items mentioned above (i.e. threats, assets and vulnerabilities). Beyond that, it will help in the development of an action plan to address those risks and better secure all data.
Effective risk assessments are based on strong methodologies, like NIST, FAIR, or OCTAVE. But, even with these methodologies, the process can be complicated. So, what answers should directors and owners of healthcare businesses be seeking related to their organization's security? Here are few suggestions:
This is, by no means, an exhaustive description of everything healthcare companies and practices need to consider about their security program. Other topics include policies, disaster recovery, incident response, awareness and training, along with numerous other important facets. However, seeking answers to the questions above is a fantastic starting place.
Then, the first step towards improvement must be a change in mindset. It's time for healthcare companies to aim for security and accomplish compliance along the way, instead of the other way around.
Mark Fulford, CISSP, CISA, CCSFP, HITRUST, is an LBMC shareholder in the Risk Services Division with nearly 25 years of experience in information technology, audit and security. LBMC Information Security's team includes a diverse group of experienced professionals that help healthcare companies protect their systems and meet compliance obligations. LBMC is also the creator of the BALLAST automated risk management application, used by hundreds of organizations to identify, track, and remediate security risks. For more information, email email@example.com or go online to lbmcinformationsecurity.com.
WEB LINKS ONLINE: