The healthcare landscape has many challenges – security being at the forefront. Ransomware attacks grow increasingly rampant with each day and healthcare is the perfect target due to hospitals relying on antiquated technology that alerts them only after the infection occurs. Cybercriminals are always on the forefront and looking at innovative ways to gain valuable data. With all of these breaches taking place, it's time for organizations to reconsider if they have a sound security policy to address these issues. In order to have a successful security policy, you must address three areas and ask yourself: Is my security policy measurable? Is it repeatable? And is it enforceable?
Measurable
How do you define your security policy? What metrics do you follow for it to be successful? Does your policy address risks to Electronic Health Records? For Healthcare, it’s important to know who can see, touch and move data. In the case of a Healthcare provider: doctors, nurses and patients. All three want real-time access to information and data to make quick and decisive decisions for the benefit of the patient. Providing this information safely and securely under government regulations and HIPAA privacy is challenging. Any document or file received can be constituted as “risk.” For healthcare organizations, how do you work to mitigate that risk? It is beneficial to measure your own security policies by doing internal risk assessments to ensure you are following HIPAA guidelines, along with a scorecard/checklist and sharing the results of your findings within each department. This helps demonstrate whether your policy is being recognized across the organization, as well as gauging your staff’s understanding as to why the rules and regulations are placed. Setting up security measures for Identification, Authentication, Workstation Security, Mobile Computing and Electronic Mail Systems are imperative to a healthcare environment to follow both for good “housekeeping” and federal law.
Repeatable
Is your security policy continuous and simple enough for the organization to comprehend? Enforcing an effective security policy means that the measures you take as an organization are continuous. It doesn’t stop with a simple check mark that you are HIPAA compliant. Your IT infrastructure grows on a daily basis and your policy must address and adopt new security risks that are evolving 24/7, 365 days a year. In healthcare, there are a wide array of different technologies being used every day. Issuing activities, such as security training, seminars and initiatives on a continuous basis, helps enforce the messaging of what the organization wants to accomplish and to raise overall awareness of changing security threats that grow with each passing day.
Enforceable
Within your organization, the policies you set must come from the top of the organization downward. It’s important to put together an IT security team within the organization mixed with people from different departments across the organization. IT, doctors, nurses and others touch the hospital system each day – to have them involved in the security decision-making processes will help resonate and ingrain itself within the organization quicker and more efficiently. It also makes end-users feel empowered by encouraging their participation to assist in the direction of how the organization protects itself while making the end-user experience as easy and simple as possible. Your team should set up administrative, physical and digital safeguards for all IT needs ranging from risk assessments of your IT environment, locked offices containing computing equipment with EMR information, and the standards of securely configured computing equipment and mobile devices.
Final Thoughts
Implementing your security policy requires a collaborative effort across your entire organization. Fifty-two percent of healthcare security personnel reported that their organization spent less than 3 percent of their IT budget on IT Security. The value of healthcare records will continue to grow, resulting in more risk. Breaches in healthcare will continue to be a major contributor to the continuous rise in healthcare costs across the US. Where does the security start and end? How do you define your security policy in your organization?
About the Author: Ross Smith is a Healthcare Sales Program Manager for SHI. Focused on solving Healthcare challenges through providing Innovative IT Solutions. Rutgers Grad in Management and Marketing. Baseball and Football Enthusiast via Atlanta Braves and Indianapolis Colts. Jersey Born and Raised. Lives for New Jersey Diner Food. Motto: As many times as you fail, the taste of success is that much sweeter. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
