2021 THE STATE OF HEALTHCARE & HEALTH IT
hospitals and health systems that fol- low a structured cybersecurity road- map generally tend to include net- work segmentation as an important component of their security strategy. We find that network segmentation may not be as prevalent in smaller to mid-sized healthcare organizations.
More and more patient care organization leaders are turning to external security operations centers (SOCs) for help, as they struggle to keep up with the cyber threats intensifying against their organizations. What does the state of SOC engagement look like to you right now?
There are many such security opera- tions centers in business these days. It is crucial that threats are monitored actively on a 24-by-7 basis. Hackers do not sleep, and monitoring efforts should not either. Monitoring should also go hand in hand with incident response, so that when a cred- ible threat is identified, the incident response mechanism should be activated immediately. We some- times see that a strong security event management system may be in place, the security operations center team may be monitoring threats actively, but then the patient care organiza- tion may or may not have the band- width to properly respond to and address threats as they appear. The entire process should be part of the organization’s security strategy and day-to-day procedures.
More patient care organizations are hiring CISOs, but a large plurality still does not have a CISO. Is the pace of CISO hiring moving too slowly?
Yes, the pace of CISO hiring is moving slowly. If a healthcare organization cannot afford a full-time CISO, they can always outsource the function and hire a virtual or part-time CISO. It is vital that patient care organizations tackle cybersecurity in a systematic and organization-wide manner and include compliance with key secu- rity and privacy regulations as part
of their daily process. The importance of instilling a culture of security and privacy in all levels of the organiza- tion cannot be overstated.
Are CISOs obtaining enough funding and staffing to support their needs?
Funding and staffing all depend on the prioritization assigned by execu- tive management to various security initiatives in the organization. We find that healthcare CISOs in general have very small teams. But as long as the business is supported by the right technology and the right monitoring teams and processes, large in-house security teams may not always be required. The team needs to be of the appropriate size to be able to operate in strategic vision mode rather than simply in crisis mode.
How will the landscape around the professional development of security information professionals in healthcare evolve forward in the coming few years?
Numerous healthcare security train- ing opportunities have popped up over the last few years. Universities are beefing up their cybersecurity offerings as part of their computer science degree programs. Medical security and testing labs have been opened in institutions of higher edu- cation and in global and regional health organizations. Medical device security is becoming an area of focus as well. Organizations such as (ISC)2 are playing a big role by continu- ally updating their healthcare cer- tifications such as the HealthCare Information Security and Privacy Practitioner (HCISPP). HCISPP is unique in that it combines cyberse- curity and privacy knowledge to help healthcare teams implement, main- tain and manage controls to enhance their organization’s privacy and secu- rity posture.
What would your most essential advice be for patient care organization leaders, in terms of what they must do in the next several months,
to improve the information security of their organizations?
Security must always be top of mind for patient care organizations. While medical professionals have patient care as their top priority, they really need to bear in mind that without the right levels of security, the level of patient care they provide can be seriously impacted. The healthcare industry relies on technology very heavily whether it is through electronic health record systems or transmission of healthcare data or through con- nected medical devices. Data is the most valuable resource these days, and medical data is perhaps the most valuable of the lot. Protecting patient data should not only be a high priority for medical professionals but is also a core responsibility. The very basic minimum step that
every organization needs to take is to be aware of what its security baseline is, and for that, it should plan on performing a comprehensive enterprise-wide security risk assessment at least on an annual basis. The results of a security risk assessment will feed into the overall cybersecurity roadmap for the organization. Security is an ongoing process. It
requires constant monitoring and improvement. Change must be continu- ously tracked. Some organizations con- duct daily vulnerability scans to verify that nothing has changed in terms of exposure on their networks. Security con- sists of several layers. Defense in depth is a crucial strategy when it comes to securing an organization. Defensive mechanisms are implemented in layers so that if one protection fails, another is available to provide an appropriate level of defense. Organizations should always consider employing a multi-faceted approach as part of their cybersecurity blueprint. Security and privacy go hand-in-hand.
It is through data security that patient data privacy can be maintained.
JANUARY/FEBRUARY 2021 | hcinnovationgroup.co
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32