Here’s more from Mark Beckmeyer, Binary Fountain’s Director of IT Security. Mark’s 30 years of experience gives him deep insight on the ways that healthcare entities can evaluate, implement, and maintain their security compliance programs.
Privacy and security as corporate culture
My previous blog described some of the threats that keep healthcare IT security executives awake at night. Day-to-day defenses against hack attacks, ransomware, PHI exposure and HIPAA violations occur at the operational level. But it’s vital that the enterprise-wide culture of security originate from the top. An active, involved Chief Security Officer, working with CIO, CTO and compliance executives, will drive the organization to stay current on security innovations and evolving threats, to continuously adopt and implement IT safeguards and to enforce privacy and security policies with regular awareness and training updates.
Management sets the tone
In the 2017 attack on Equifax, hackers exploited a known security flaw to steal records of 143 million people – names, birth dates, Social Security numbers, addresses and more. The company admitted learning of the vulnerability two months before the attack, and in the end the CIO and CSO were fired. In a company that sets high security standards from the top down, would the flaw have been patched as soon as it was discovered?
In my career, I have seen pro-active organizations embrace security, versus the kind of reactive approach that can often lead to forming the foundation for enabling the development and propagation of security risks. If top management doesn’t understand the ROI of security – if executives think of it as an expense and not an investment in the company – this lack of commitment can have costly consequences.
A case in point is a large health insurer. An on-site risk assessment revealed that their data center had no backup power supply, a problem the company chose not to address quickly. Soon afterward the data center was knocked out of service by electrical damage from a hurricane. It’s ironic that an insurance company was reluctant to invest a small amount to insure uninterrupted operation of vital systems.
Top management should never be stuck saying, “We didn’t know about this vulnerability” when a breach happens. C-level executives must engage in a regular back and forth with IT and security managers, to reinforce the cultural commitment to security, and to receive reports from the operational staff. Details like making security a standing topic of weekly staff meetings can go a long way in supporting communications. If not, the consequence is that management forfeits the chance to set the tone, and could leave itself in the dark on the news of risks, and responses to actual breaches.
Exceptional security means no exceptions
Even more dangerous, management sometimes behave as if security standards don’t apply at their level. There was a CIO who actually helped architect an internet access system that bypassed security. In another case, staffers used secure servers to store personal music files. Physicians are important, but they should never be allowed to dictate the organization’s approach to security.
Compliance is a milepost, not a destination
Whether due to lack of vision or misperception of the true cost, management might make the mistake of checking off regulatory and procedural boxes as the end goal. As important as HIPAA compliance and SOC 2 certification are, they are mileposts on the road to healthcare information security, not destinations.
Best practices with staff
Although people in IT often fulfill multiple roles, best practice argues against putting the same person in charge of both IT and security, because this can lead to blind spots. It’s not easy to design a demanding penetration challenge exercise on your own IT systems.
Ideally, every employee’s performance evaluation should include criteria for meeting security goals, with positive points for training and awareness participation, as well as negative points for actual breaches.
Excellence at all levels
An organization’s culture of security should commence at the very top from the board of directors to the C-level executives and throughout all levels of the workforce. Establishing security as a performance metric helps keep awareness high, and demonstrates the tangible commitment of the organization to effective security.
We hope that every healthcare organization and practice will work to be the best of the best. Excellence is measured not by the size of the budget, but by the strength of the commitment to excel at security and to operate at a level well above minimal standards of compliance.
Mark Beckmeyer, D.Sc., CISSP, is Binary Fountain’s Director of IT Security.
Do you have a healthcare information security concern or question? Let us know what’s on your mind, and look for answers to your concerns in future posts from Mark.
About the Author
Director, IT Security