Open menu
Smartphone with Stylus

Closing Gaps in Healthcare Security

  • March 03, 2016|
  • 2 years ago

by Tom Foley

  • Follow us
  • Follow us

Director, Global Health Solution Strategy

Healthcare and security—you can’t bring up one topic without stirring up the other. The relationship is easily explainable, considering healthcare’s tendency to carry the weight of highly private, sensitive information. And while technology brings an expansive array of possibilities to the table for healthcare, it also, in conjunction, brings security concerns front and center.

As CIOs and CTOs select technology to fill holes or improve infrastructure, they must carefully consider how each product might impact security measures. What happens when they bring a product into their infrastructure? How can they trust the products they are adding to their infrastructure? Those are valid questions for every addition, no matter how simple it might seem.

Not to mention that the list of devices that are connected to the Internet, and thus relevant to security concerns, is only getting longer. The Internet of Things (IoT) is making objects that have never been relevant to security, relevant (think watches). As written in an article for Fierce Mobile Healthcare:

“Privacy and security concerns, interoperability, and data capture errors are among the biggest hurdles hindering Internet of Things innovation in healthcare according to healthcare consultant Paddy Padmanabhan.”

Evaluating products isn’t a quick once-and-done procedure, either. It involves verifying or testing the equipment; asking questions about touchpoints, the software, and hardware; and ensuring adherence with HIPAA regulations. Plus, those involved will need to ask vendors for evidence of security processes and practices to confirm that products are “clean and safe” of malware, spyware, or backdoors. These precautions are becoming especially important as non-healthcare organizations begin to enter the healthcare arena to provide apps, wearables, and other health management devices to consumers. As nontraditional and traditional healthcare parties merge, supervision will become necessary. Recent OCR HIPAA guidelines are a step in the right direction, according to ACT|The App Association, but more guidance is needed for app developers and device companies.  

Even though security concerns are top of mind for some, there are individuals within health organizations that may be more in the dark than leadership realizes. Who should be made aware, and eventually responsible, for gaps in security knowledge? Some organizations have gone so far as to create a new role to answer the call—a CPO, or chief privacy officer.

When fighting for security, it’s imperative to have all hands on deck. An unaware staff could be detrimental to safety. For that reason, organizations need to make everyone—from IT staff, to front desk staff, to professionals in the operating room—alert to the fact that risks come in more forms than computers and smartphones. In fact, medical devices have emerged as a key area of potential risk as they are increasingly connected to the Internet and other networks. The FDA’s recent security guidance is focused on medical device manufacturers, requiring them to assess the risk of threat to their products and report vulnerabilities that could lead to serious negative outcomes. But still, the more knowledge that’s on the ground floor, the better.

What can help close gaps? Information, experiences, and the right relationships.

Information. Daily alerts from organizations like IT ISAC can help organizations stay on top of imminent threats. Also, organizations should attempt to stay in the know regarding others’ unfortunate experiences. In security, knowledge of risk is power.

Experiences. Similar to how organizations prepare for tangible emergencies (such as fire drills for fire), they can practice for security breaches with dry runs and table-top exercises.

Relationships. There’s power in numbers. Creating a circle of trust by connecting to other organizations can help determine which alerts are likely to be impactful.

In addition to the above, organizations need to simply focus efforts on being proactive. A recent report from the Ponemon Institute brought to light the fact that 70 percent of surveyed healthcare organizations and business associates identified employee negligence as a top threat to information security. But, employees can’t ignore what’s put in front of them—hence the importance of ongoing security training. If employees are more aware at every corner, i.e. when checking their emails or deciphering which information is public, proprietary, or patient-specific, organizations are already at an advantage.

At HIMSS16, ESET researcher Stephen Cobb will be speaking on “Why CIOs and CISOs should think of their organization like a patient and address the most urgent problems first.” What points of weakness pose the greatest threats to your organization? How can you arm employees with the right knowledge and reaction to face those threats with confidence?

Reference Articles:

1.  “3 hurdles facing digital health IoT innovations” Fierce Mobile Healthcare. January 15 2016.

2. “Are Better HIPAA Guidelines Needed for Health Apps, Devices?” Health IT Security. January 12 2016.

3.  “It Pays to Be a Privacy Officer” Digits. December 18 2015.

4.  “FDA issues cybersecurity guidance on medical devices” Modern Healthcare. January 19 2016.

5.  “The human risk factor of a healthcare data breach” Health IT Exchange. December 8 2015.

6. “PhishMe report shows employees can become assets in anti-phishing battle” CSO. December 21 2015.

7.  “Expert: Triage approach can build stronger health data security” Healthcare IT News. February 1 2016.

8. “Criminal attacks are now leading cause of healthcare breaches” Ponemon Institute. May 2015.