• They follow their corporate policies regarding protection of patient and/or institutional and intellectual property?
• Upload proprietary information to the cloud, like Google Docs, and if so, does the organization’s policy allow that?
• Identify a mobile application that enables business process- es, was the group’s IT Security team notified to validate that the proper security controls are in place?
Beech urges individuals to:
• Be careful about using wireless internet access without a password, as it can be used to attack your online presence.
• Ensure encryption and anti-theft software is installed on laptops.
• Check that apps they want downloaded come from a repu- table source.
The threats have also morphed as bring-your-own- device to work has proliferated. Criminals note the increased use of smartphones, but attack devices with the classic hacker trio of phishing, viruses and malware. In response, Beech cites how organizational security awareness and training provide three counter measures to stop cybercrime. The keys are that employ- ees learn to identify and report incidents; they under- stand appropriate security behaviors for handling and protecting data — for example, password controls; and understand how to implement security policies. CHOP’s efforts around security have attracted attention in the cyber security world. In 2012, CHOP was spotlighted as one of the Top 10 Healthcare IT Innovators by InformationWeek magazine. Innova- tion such as the hospital’s creating an IT and business team develop a new role-base security system as part of it EPIC elec- tronics health record (EHR) implementation project. EPIC is a company that makes software apps for medical groups, hospitals and integrated health care organizations. At CHOP, they use the Epic system to customize role templates that accommodate 9,000-plus users and nearly 500 roles. EHRintelligence dot com, an online resource specializing in EHR and electronic medical records, knows what is at stake. Last April, it asked a crucial question about a recent data breech of 24,000 Medicaid records that keeps cyber security keeps CI- SOs like Beech alert: “If a poorly configured server in Utah can be compromised by hackers in Eastern Europe, how much trust can we put into our providers using Web-based systems to not expose our data to illegal access through simple user error?” Beech recommends that would-be health care CISOs gain solid
which is the use of “system-analytic tools to enhance management control and decision-making,” are important. Other CISO must-haves are bachelor’s and master’s degrees in information systems, computer science, engineering or other related fields; strong skill in computer forensics and security architecture; and practical experience, perhaps internships, in InfoSec tools and technologies.
Students must gain soft skills such as negotiation techniques and trust-building. But their most crucial attribute will be the ability “to translate technical issues into business impact and help executives understand how the threats and risks impact the overall business and patient experience.”
The latest innovation in cyber health care and related records security is health information exchanges. They, Beech says, provide the ability to store, maintain and share health infor-
“Successful safeguards help us to build patient and other stakeholders’ confidence in healthcare information technology and the greater health system.”
–—Dominic Mack, associate professor, Department of Family Medicine, Morehouse School of Medicine
mation with a trusted partner, i.e., hospitals or regional HIEs. Much of that and other health-related material will be cloud-based. Beech believes cloud computing has inherent risks. These, she says, include “trust of the cloud provider security model; multi-tenancy (Where is my data?); litigation (Will you support me when I need my data?); and if the cloud provider is really compliant with HIPAA, are just examples of what every company needs to carefully evaluate when considering the use of a cloud provider.”
technical prowess in cyber security writ large, as the field transcends industries, before entering health care security where they must become steeped in The Health Insurance Portability and Account- ability Act of 1996 (HIPAA) Privacy and Security Rules. An under- standing of database management, and applied health informatics,
www.blackengineer.com
The details that Beech provides will cheer Dominic Mack. He is not a cyber-security expert. His title is associate profes- sor, Department of Family Medicine at Morehouse School of Medicine. Mack, who sees safeguarding health care patient and facility information, on the ground level cites reason for continuing digital attentiveness. They include patient safety, fraud prevention, privacy assurance, the prevention of sabotage of patient information and denial of access to businesses and insurance companies.
“Successful safeguards help us to build patient, and other stakeholders confidence in healthcare information technology and the greater health system,” he said.
USBE&IT I WINTER 2012 69
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74 |
Page 75 |
Page 76 |
Page 77 |
Page 78 |
Page 79 |
Page 80 |
Page 81 |
Page 82 |
Page 83 |
Page 84 |
Page 85 |
Page 86