Consider: Threats to the security and privacy of patient data in the U.S. healthcare system are increasing, healthcare organizations continue to struggle with the increasingly complex federal and state privacy and security regulations, and many, if not most, providers have experienced a data breach.
Those are among the findings of the Fourth Annual Benchmark Study on Patient Privacy & Data Security, which was conducted by Ponemon Institute and published in March 2014.
Here’s a quick summary of some of the study’s other takeaways:
- Fifty-one percent of healthcare organization respondents are compliant with the post-incident risk assessment requirement in the HIPAA Omnibus Rule while 49 percent report they are not compliant or are only partially compliant.
- Thirty-nine percent say their incident assessment process is not effective and cite a lack of consistency and inability to scale their process as the primary reasons.
- The process most often used to conduct and document post incident risk assessments is a manual process that was developed internally (34 percent) followed by an ad-hoc process (23 percent). Only 15 percent use an automated tool or process developed internally or one that was developed by a third party (20 percent).
- Forty-six percent of organizations have personnel who are knowledgeable about HITECH and states’ data breach notification laws.
Why do healthcare organizations still struggle with the fundamentals of information security?
The success of an information security program has as much to do with people and process as it does with technology. Establishing a dedicated staff that is responsible for the management and oversight of information security is crucial.
And hiring a strong chief information security Officer (CISO) is one of the most important tasks in an overall strategy to effectively protect the confidentiality, integrity and availability of information.
CISO’s retain accountability and responsibility for the success of their information security program and provide the focus and strategic presence necessary for the program to achieve its objectives. By coordinating all information security activities under the guidance and leadership of a CISO, healthcare organizations can significantly improve their security posture while reducing the risk of issues not being effectively addressed.
The role of the CISO is strategic and tactical while acting as a conduit between the clinical, business and IT operations. Accomplishing the mission of an information security program requires a CISO with strong leadership skills, executive presence, security knowledge and effective placement within the organization.
Let’s break down these attributes in further detail:
- Leadership - The CISO should provide executive leadership in developing, planning, coordinating, administering, managing, staffing and supervising all information security-related operations. The CISO should provide overall leadership to the information security program and its coordination with complimentary programs including privacy, compliance, physical security, risk management, purchasing, human resources, internal audit and legal counsel as well as integrate closely with clinical and business executives.
- Executive Presence - The CISO serves as a spokesperson for the Information Security Program including presentations to the board of directors and addressing concerns expressed by auditors, vendors and patients. The CISO should have the executive presence to effectively represent the organization’s position regarding information security matters and the ability to influence other executives in the achievement of their clinical and business goals in a manner consistent with the security program objectives. Simultaneously, the CISO should possess effective communication skills and an ability to interact with personnel at all levels in the organization.
- Security Knowledge - The CISO should decide or recommend the organization’s stance on numerous information security issues and, as such, should have a solid basis of security knowledge upon which to draw. The CISO should possess strong analytical and diagnostic abilities to understand and apply theoretical concepts to practical problems. The CISO should have strong information security skills derived from having at least 10 years’ experience in information technology and five to seven years of direct experience managing a program. The CISO should be a Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM).
- Organizational Placement - Organizational placement of the Information Security team varies by organization. However, the information security program should be treated as an enterprise-wide responsibility accountable for addressing security-related people, process and technology issues. It’s important to consider the placement of the CISO such that he or she has senior executive sponsorship and support to ensure the success of the information security program.
From the CISO’s first day on the job, he or she needs to meet with people in many different functions and layers within the organization. The role includes a lot of listening, data gathering and synthesizing of information. The role also includes explaining, training and persuading people at all levels of the organization so that they understand what information security is and how information risks affect their areas of responsibility. The CISO should have excellent people skills and be a good manager because this role cannot be accomplished alone. The CISO should get accustomed to hearing the word “no” on a regular basis when they first get started.
An effective information security program can only be achieved when a holistic approach is adopted. This approach should take into consideration the people, process and technology dimensions of information security while adopting a risk-balanced, business-based approach. Information Security is a journey, not a destination and there are always new challenges to meet. HIPAA security compliance can be one of those challenges because it is not achievable through a single solution and does takes time to address. However, the Fourth Annual Benchmark Study clearly illustrates that a large number of healthcare organizations still need to step up their security game and hire an effective CISO since it’s been nine years after the HIPAA security compliance deadline of April 2005.