What Healthcare CEOs Need to Know About IT Security Risk
Healthcare CEOs are not only responsible for growing the overall value of their organization, but also are responsible for protecting the most important assets. In a new report, Daniel Berger, CEO of information security firm Redspin, contends that today, improving IT security is also on their plate. Leaving a laptop on a train could cost an organization millions to recover. “Looking ahead, breaches will not be the only concern,” he says. “The integrity and availability of patient data will also be threatened by security issues.” Here is what Berger wants CEOs to know. (Photo: Fotolia)
Less than half of hospitals have a chief information security officer and compliance responsibilities stretch across multiple departments with unclear lines of responsibility. “Thus, most healthcare CEOs do not even have anyone fighting for the budget to improve security,” Berger notes. “Lastly, it is extremely rare to find experienced security experts on a hospital IT staff--they are in high demand in every industry and are very hard to recruit and train.” (Photo: Fotolia)
Most security assessments are inadequate in scope or the resultant migration plan was not implemented, and more than half of hospitals conduct their assessment in-house. Or, a firm is hired to conduct a “desk audit” that is little more than a checklist. Either way, assessments focused on complying with regulations are not sufficient and will not withstand an audit. “CEOs should know who within the organization actually conducted the assessment and what scope of work they used. Was the assessment conducted by a junior person or a full cross-functional team?” (Photo: Fotolia)
Many C-level initiatives to improve security are met with resistance driven by fear of job security or loss of stature. Organizations that cave will remain in reactive mode, Berger warns. “The protection of personal health information is analogous to a custodial responsibility. Ultimately, the buck stops with the CEO. It is now a fiduciary responsibility to understand the risks and threats to PHI. Further, in extreme cases of willful neglect, executives can be held criminally responsible.” (Photo: Fotolia)
Bergen recounts worse-case scenarios cited in a recent article in Wired Magazine: Denial of service attacks could make patient data inaccessible during a life-threatening emergency. Medical devices are easy hacked; drug infusion pumps could be remotely manipulated to change dosages. Bluetooth-enabled defibrillators can be manipulated to deliver random shocks to a patient’s heart or prevent a needed shock from occurring. (Photo: Fotolia)
“It is not that one hospital will gain more business because they better protect patient records (although the converse will likely be true),” Berger says. “Completely embracing security in its full definition--confidentiality, integrity and availability--has far greater implications. It is in alignment with strategic goals such as improved patient care and better patient outcomes. At some point in the near future, it will even save lives.” (Photo: Fotolia)
Berger concurs with recommendations from Forrester Research to avoid operational metrics such as laptops patched and emails scanned that don’t speak to the broader organizational objectives or healthcare outcomes. “A mix of strategic objectives and operational metrics is the best approach,” he says. “The key point is to show the relationship between the two. Expert security firms can really make a difference here by introducing meaningful metrics and information security management systems from prior experience with other clients and in other industries.” (Photo: Fotolia)
The need for better IT security is no longer an option, Berger cautions. CEOs face migration to cloud services, connecting with health information exchanges, dramatic increases in internally developed application software, a flood of new end-user networked devices, voice recognition systems, expanded in-home care, remote connections and mobility that includes wearables. “The list could go on.” (Photo: Fotolia)
The full Redspin report is available here . Brief registration is required.
Healthcare CEOs are not only responsible for growing the overall value of their organization, but also are responsible for protecting the most important assets. In a new report, Daniel Berger, CEO of information security firm Redspin, contends that today, improving IT security is also on their plate.