Top 6 Security Takeaways from HIMSS18
Amid the Las Vegas lights, the Sands Expo was abuzz during the Healthcare Information and Management Systems Society (HIMSS) which gathered over 45,000 attendees to discuss the latest Innovations in Healthcare Information Technology. During this year’s HIMSS, there was a particular buzz about healthcare privacy and security, with over 97 speaking sessions devoted to cybersecurity. There was an apparent, growing awareness that as the healthcare community embraces and leverages new technologies and models that are transforming patient care, the need for patient privacy and security is more pressing than ever before. The vision of these discussions was cohesive in the fact security technologies are enabling patient trust and streamlining workflows in a way never thought possible. We’ve narrowed down the top 6 security takeaways from HIMSS18 below:
1. ) Security Needs a Well-Connected, Articulate Business Leader at the C-Suite and Board Levels
Healthcare C-Suite leaders must maintain sharp, ongoing focus on a multitude of concerns ranging from patient care optimization to improving revenue cycle efficiency to strengthening their organization’s community and partner bonds. Cybersecurity must step into the portfolio of items that receive this focus. To do this requires a security leader who fosters ownership and accountability for security within an organization by building, with their C-suite colleagues, and maintaining strong governance effective governance. This governance and partnership can effectively drive a culture and presence of security as a C-suite level of concern. From that strong foundation, a strong security leader will focus on some core best practices for their security operations such as ongoing risk assessment and management, third-party assessment, and ongoing education of the workforce.
2.) The Next Cybersecurity Attack is not “If” it’s “When” So Layered Defense is Essential
Multiple attacks, in recent years, have used the leaked NSA Toolkit “EternalBlue” and created multiple variants of malware and ransomware such as WannaCry and NotPetya. It’s safe to say we’ve all heard of this…but what are healthcare organizations actually doing to prevent the next attack that is sure to arise from these threats and many others to come. No one technology will keep 100% of attacks from striking your network so organizations must instead deploy and maintain proactive safeguards so as to create a layered ‘defense in depth’ approach. How can this layered approach be achieved by an organization? Use a comprehensive security framework and map your program’s capabilities, and gaps, against that. Focus on continually maturing the security program and not on just meeting regulatory requirements. Ensure the awareness of the Board and enlist their participation and support in successful security program implementation and growth. From that program foundation, invest in technical measures (ranging from the simple to complex) to address vulnerabilities and threats. Communicate about your program with actors inside and outside your organization
3.) Incident Response is Critical but Security Preparation Starts Well Before an Attack
Security and compliance are crucial to all healthcare systems, no matter their size or budget. Every healthcare organization has common risks to data security including 3rd Party Risk and the need to collaborate and monitor partner performance to reduce risks between each entity. Managing these challenges starts with the idea of aligning governance and culture. Governance being how the organization says it makes decisions, and culture is how the organization actually makes decisions. If there’s a gap between the two in terms of security decisions, then more communication will be the bond that ties the two closer together. In doing so, security controls and culture can be strengthened before an attack, allowing organizations to detect and mitigate risk when an attack does occur.
4.) Invest in the Maturity of a Security Program, and Don’t Measure Success with Just Regulatory Compliance
There is no magic formula an organization can use to determine how much its budget should be allocated to cybersecurity. No longer can healthcare organizations allocate money towards regulatory compliance and consider that a cybersecurity budget. Determining a cybersecurity budget requires the organization ask, and answer, some hard questions about itself and the threats it faces. Questions include what risks the healthcare systems have? What’s the cost of a solution investment versus the potential cost of security incidents? Security risks associated with data held by healthcare organizations include PHI, PII, EHR, EMR, Medical devices, mobile devices, credit card information, and more. There is also the exponential increase in the human attack surface. Cybercriminals have identified the weakest link in the cybersecurity chain: the human insider. The direct and indirect costs associated with a cyber attack and PHI breach are mammoth, and organizations should not underestimate the level of security protection needed to secure their network. Investing the in the maturation of the security program enables long-term security success to build upon rather than focusing on compliance checkboxes.
5.) Save Time to “Do More With More”
We’ve all heard of the saying “Do Less With More” but Francois Boudhuin, Technology Director at Inspira Health believes that organizations should “Do More With More” when it comes to security. Boudhuin would know, after all Inspira grew two new hospitals under his watch. He explained that his focus was on growth, not on managing hardware and software. However, security was still a concern of Bodhuin. He didn’t have time to hire cybersecurity staff, especially with the challenges that come with it including skills shortage, turnover, and budget restraints. Instead, he turned to FairWarning’s Managed Privacy Services to help take the burden off his hospital staff, reducing his privacy and security workload by up to 80%. Managed security services provide outsourced monitoring and management of accounts, devices and systems.
“They are very aware of HIPAA security and privacy.” Says Francois Boudhuin “you want to be an enabler- a department of yes and not a department of no.” “We are enabling our hospital staff to concentrate on patient care.” Francois Boudhuin, Technology Director, Inspira Health
6.) Healthcare Trends and Changes will Continue to Keep CISOs Busy
As so often with healthcare, needed improvements to health care will keep CISOs working hard to maintaining the confidentiality, integrity, and availability of patient data. One such improvement, that received much attention at HIMSS, was the need for increased health data exchange among trusted care partners. This data exchange is needed to optimize care of patients across healthcare providers, and support improved patient outcomes. As part of the 21st Century Cures Act, the Trusted Exchange Framework, and Common Agreement is a key element supporting this trusted exchange of confidential patient data and the promotion of interoperability efforts among provider. As confident patient data flows to trusted partners, all in the healthcare information sector will need to ensure safeguards for this data receive ongoing attention and work.
It was explicit at HIMSS18 that as we embrace new technologies that are transforming patient care and the industry as a whole, security must be an integral part of that transformation. A multi-layered approach to security where streamlined workflows, executive buy-in, proper allocation of resources, and a “do more with more” approach will enable healthcare providers to innovate and improve patient privacy and patient care for a bright future of healthcare.