Five Steps to Developing a Healthcare Information Technology Security Plan
July 24, 2018
Security breaches have become common place. Daily, we hear cybersecurity breach reports in the media. However, when Healthcare institutions are impacted, consumers see this as “more detrimental” than other industry breaches.
Healthcare continued to be a lucrative target for hackers in 2017 with ransomware, cloud storage mishaps, and phishing emails dominating the year. In 2018, these threats will continue and cyber criminals will likely get more “crafty” and “creative”.
Within the past two years, 94% of healthcare organizations have had at least one cybersecurity hack. CIOs must work cross-functionally throughout the organization to educate and partner with departments to help them understand the impact of a breach and the importance of establishing a systematically strong security posture.
Think about your institution’s approach to security? Is it systematic and consistent? Are disaster recovery measures in place? Is your security posture strong? Are there procedures and processes in place to proactively secure IT environments?
Without an ongoing systematic approach to IT security, a strong security posture to protect patient data, is in jeopardy. Below, I break down five steps to developing an effective IT security plan.
- Run Risk Assessments. Before developing an effective security plan, an initial risk assessment must be conducted to determine assets, systems or devices that require protection. Once the assets have been identified a risk target level can be assigned. Cyber criminals change and adapt quickly. Healthcare institutions must keep pace to remain secure.
- Establish a Security Culture. Security checklists and plans alone are not enough to develop a strong security posture. It is incumbent on any organization where lives and critical patient data are at stake, to support proper information security by establishing a culture of security. Every person in the organization must subscribe to a shared vision of data security so that best practices are automatic. It must start with executive support and buy-in. Protecting patients through good information security practices should be second nature to healthcare organizations.
- Review IT Security Policies and Procedures. Keeping up with IT security trends and threats can be difficult. But, IT security policies must match the current “threat level” and the craftiness of cybercriminals to proactively defend organizations from cyberattacks. Policies must include measures to protect data and it is imperative that they include measures to control access to patient information to minimize risk to electronic healthcare records. Role-based access should be established.
- Educate Employees About Security Best Practices. No longer are the days of cutting IT security budgets viable. CIOs must allocate budget to employee training and awareness programs and systems to properly secure environments, particularly when lives are at stake. Hackers will look for the weakest link in security plans — and it’s employees. If employees are unaware of how to recognize and avoid security threats, they can be a weak link in a chain of defense. For example, hackers will prey on employees by sending phishing emails that appear to be official and expose organizations to malicious code and ransomware.
- Include a Disaster Recovery Plan in the Overall Security Plan. With the increase in security breaches, it is clear that IT departments must assume that security breaches and cyberattacks will occur. While healthcare institutions need a strategy to prevent breaches, a comprehensive disaster recovery plan is necessary, in the event of a breach, to minimize unscheduled downtime, rapidly recover data, etc. Incorporating both elements in one cohesive IT security plan is becoming increasingly crucial.
The healthcare industry continues to be a prime target for information theft as it lags behind other industries in securing critical data and medical information which has the greatest value to hackers. It is imperative for healthcare providers to invest time and funding into maintaining and ensuring the protection of healthcare technologies and the confidentiality of patient information from unauthorized access.
Proactive security in healthcare is therefore, a must! It means predicting threats that your institution might face and arming yourself ahead of time. Healthcare providers must take an “offensive” posture to protecting patient data from security breaches by developing and adhering to a comprehensive plan.
Gone are the days of lack of strategy and reactive or defensive security postures. If your organization does not have the IT resources to develop and implement a security plan, I recommend at Managed Security Services Provider who can tailor a program to meet your company’s needs, level of risk, and culture.
Author, John Brady, CISSP is Chief Information Security Officer of Secure 24. He provides information security advisory services to clients. in addition to his leadership role in the company.