What Healthcare CEOs Need To Know About IT Security Risk
By Christine Kern, contributing writer
A Redspin white paper sets out to help CEOs identify IT security risks and goals.
A white paper geared towards helping healthcare CEOs better understand the necessity to include and prioritize IT security as a part of their risk management responsibilities has been made available. The white paper also provides a number of practical recommendations that CEOs can put to work immediately.
In the white paper – What Healthcare CEOs Need to Know About IT Security Risk: When Saving Costs Can Be Costly – Redspin CEO Daniel Berger contends that improving IT security is the responsibility of a CEO with failure to do so costing an organization millions. “Looking ahead, breaches will not be the only concern,” he says. “The integrity and availability of patient data will also be threatened by security issues.”
Berger wants CEOs to know, among other things, most hospitals lack a chief information security officer and compliance responsibilities often stretch across multiple departments with unclear lines of responsibility. “Thus, most healthcare CEOs do not even have anyone fighting for the budget to improve security,” Berger notes. “Lastly, it is extremely rare to find experienced security experts on a hospital IT staff – they are in high demand in every industry and are very hard to recruit and train.”
Most security assessments are inadequate in scope or the resultant migration plan was not implemented, and more than half of hospitals conduct their assessment in-house. Or, a firm is hired to conduct a “desk audit” that is little more than a checklist. Either way, assessments focused on complying with regulations are not sufficient and will not withstand an audit. “CEOs should know who within the organization actually conducted the assessment and what scope of work they used. Was the assessment conducted by a junior person or a full cross-functional team?”
Many C-level initiatives to improve security are met with resistance driven by fear of job security or loss of stature. Berger warns, “The protection of personal health information is analogous to a custodial responsibility. Ultimately, the buck stops with the CEO. It is now a fiduciary responsibility to understand the risks and threats to PHI. Further, in extreme cases of willful neglect, executives can be held criminally responsible.”
Data breaches are not the worst thing that could happen. Bergen recounts worse-case scenarios cited in a recent article in Wired Magazine that noted denial of service attacks could make patient data inaccessible during a life-threatening emergency. Medical devices are easy hacked and drug infusion pumps could be remotely manipulated to change dosages. Bluetooth-enabled defibrillators can be manipulated to deliver random shocks to a patient’s heart or prevent a needed shock from occurring.
“A mix of strategic objectives and operational metrics is the best approach,” Berger says. “The key point is to show the relationship between the two. Expert security firms can really make a difference here by introducing meaningful metrics and information security management systems from prior experience with other clients and in other industries.”
The need for better IT security is no longer an option, Berger cautions. CEOs face migration to cloud services, connecting with health information exchanges, dramatic increases in internally developed application software, a flood of new end-user networked devices, voice recognition systems, expanded in-home care, remote connections and mobility that includes wearables. “The list could go on.”