How successful hospitals build a culture of information security

January 1, 2016 | By Lisa Dare, TEKsystems Digital Content Strategist

Are you headed for a major data breach?

To put it simply, healthcare data has a target on its back. In fact, it’s a target that keeps getting hit: 90 percent of hospitals experienced at least one data breach in the most recent two-year period studied by the Ponemon Institute.

You’re probably in trouble if you can answer yes to even one of these questions:

• Does your CEO think information security is mostly about compliance?
• Does your organization view InfoSec as a hindrance, not enabler, of growth?
• Do you put most of your InfoSec resources into preventing sophisticated technical attacks?

How can healthcare providers cope and thrive?

The most sophisticated health InfoSec programs have one major thing in common: they embrace a culture of information security and privacy—and realize it has nothing to do with IT.

In my experience working with healthcare executives throughout the country, they understand that they need to build a culture of data privacy and information security. They just don’t know how to do it. One way to start is by studying what works for other healthcare providers.

Discover what the most successful care providers and hospitals have in common:  

1. They assess. They have a clear understanding and acceptance of organizational and technical vulnerabilities. They invest in understanding how care providers operate, and the things that get in their way—are time-consuming controls slowing down nurses? Are you seeing lots of password reset requests? Those are red flags that something is wrong with your processes. And if that’s the case, you’re setting up your team to fail. You're raising the odds they’re going to create risky workarounds like sharing passwords. The highest-performing information security programs work closely with staff to set up and monitor how InfoSec initiatives work in the examination room or reception station. And then they closely monitor and address issues.

2. They’re simultaneously reacting to threats and planning for the future. Healthcare has been slow to understand and adapt to its own vulnerabilities, so pretty much everyone is in reactive mode. But the sophisticated programs are also creating a strategy for the future now.

3. They understand organizational management. You can secure every technical asset but you’re still only one shared password, stolen laptop or unsecured work station away from a major breach. While most healthcare providers mandate training and awareness programs for all staff, the content is often unengaging and quickly forgotten.

To create a privacy culture, you need everyone—from nurses to the board—to buy into the importance of security actions, understand the safety protocols and risks, and report potential issues quickly. You need to create a data privacy message that resonates with all stakeholders—and it’s going to be a different message for doctors than accountants—and an exceptionally strong training and awareness mechanism.

4. They have strong protocols for working with vendors. Providers with a compliance checkbox mentality assume that if the legal risk is outsourced, they’re safe. That’s not the case. I’ve seen good partners and some very bad ones, and patients ultimately don’t care who’s to blame for a breach. Successful programs set crystal-clear expectations for healthcare partners, from their MSPs to billing vendors. They also evaluate their partners’ vulnerabilities.

5. They have CISOs who are realistic about their budget limitations. Your plan needs to account for how you’ll execute items, your budget and your internal resources. Even as TEKsystems’ 2016 IT Forecast shows healthcare InfoSec spending is on the rise, you’ll never have unlimited resources. Prioritize the steps that will provide the strongest defense against threats and exposure. One way I’ve seen hospitals get around this is to carefully evaluate existing resources and use them in a new capacity. For instance, if you have someone working on employment contracts, see if you can task some of the more administrative work to a lower-paid employee and use the attorney’s time for compliance tasks.

6. They shore up known vulnerabilities. Many providers worry about protecting against sophisticated zero-day threats, but the reality is most breaches take advantage of vulnerabilities the IT department has known about for at least a year. The recent UCLA system breach attacked sensitive data that was not encrypted.

7. They partner with the CISO to drive growth. Many hospitals, fearful of inviting breaches, are becoming very risk-averse. That’s not a great competitive strategy in the digital age. Great CISOs know they don’t have the luxury of stymying digital innovation, which is quickly becoming a key differentiator for patients and payers, and a critical component of the value-based compensation that will inexorably change healthcare.

Yet, you can’t throw out information safety for growth. Sophisticated hospitals are having the CISO report to the CEO or board, or at least including them in every major digital decision, because the CISO understands the business and care ramifications of InfoSec initiatives. Successful CISOs or their teams regularly attend meetings with other departments to better understand their needs. A great CISO understands the downstream implications of risk and can make help organizations make informed decisions about how to proceed with digital initiatives.

8. They care about governance: They do Identity and Access Management well. They understand data classification, and have careful controls for information access levels.

9. They have the right team. An integrated information security team includes legal and compliance expertise, business analysts and security analysts. Articulating an employee value proposition that positions InfoSec as a growth partner is a strong mechanism for attracting highly qualified people in field. Search for team members who are detail-oriented, have an excellent ability to think macro and micro, and understand the strong logic of policy-driven decisions.

Need guidance to strategically improve your HIT InfoSec program? We can help. TEKsystems Healthcare Services has deep expertise in the healthcare information security space, including Identity and Access Management (IAM). You can also take advantage of our huge network of highly qualified HIT pros to build an innovative, top-performing team.

Matthew Ehrlich is a director of national accounts for TEKsystems Healthcare Services. In addition to leading a team, Matthew manages operations and executive relationships at four large healthcare clients, and has worked extensively with payers and providers throughout the nation.