Healthcare CEOs are accustomed to fielding regular reports about market trends and financial threats to the organization. But what about IT security? Given the rising incidences of data breaches, shouldn’t CEOs be making room for this topic on a frequent basis as well?
The legal liability alone of such breaches is daunting to consider; add to that the irreparable harm to patients and such situational awareness in the C-suite becomes an imperative.
That said, CEOs should hardly be expected to take a course in cybersecurity to understand the minute details of log monitoring, remote diagnostics and other IT security tactics. So what should be included in a high level report? And who should deliver it?
First and foremost, this is a regular briefing that actually needs to be read—and to that end, it should be short and to the point. It should clearly outline current issues and threats as they relate to physical, technical and administrative IT security vulnerabilities.
Healthcare IT pros will immediately recognize these as the three categories cited in the HIPAA privacy and security rule that require strong safeguards to prevent a breach of protected health information (PHI). They’re good categories to include in a CEO’s IT security briefing, as well, as they cover a broad range of areas where security vulnerabilities may appear.
Administrative safeguards direct healthcare organizations to have policies and procedures in place to prevent a breach of PHI. Physical safeguards are concerned with security of the physical infrastructure and controls that house PHI—whether a data center, a back room devoted to servers, or even the areas where people use their workstations to access PHI. Technical safeguards center on the technologies and controls used to protect PHI, typically addressing network, computer and storage that include firewalls, encryption mechanisms, intrusion detection and prevention software and so on.
A sample administrative threat that might be included in a CEO’s IT security briefing: “We anticipate 50-plus new hires over the next two months.” Or the inverse: “We are reducing staff over the next two months.” Each of these scenarios poses its own risks. New hires need to be trained on policies concerning Internet and email usage to avoid falling for “phishing” scams that can unlock the organization’s network to cyber criminals. Even longstanding and current hires can fall for phishing scams or access information they aren’t authorized to see. Departing employees may be disgruntled—and want to copy valuable patient files before they leave.
A potential physical threat could be a site’s vulnerability to a natural disaster, such as a hurricane. Thus, as hurricane season approaches, it would be a good idea to call out in an upcoming brief what measures are in place to keep data up and running in the event of a power outage.
Technology safeguards will cover a broad span of potential and current threats, from denial of service attacks to IP spoofs to network sweeps to phishing attempts. It can be effective to include the rate at which such attacks are occurring. Evidence of sustained high rates may compel many CEOs to make room in the budget for additional IT security.
So how does the CEO evaluate if an issue needs his or her further attention? It helps to assign a risk score to each issue or threat; the recommended mitigation action; and status that indicates if this action has been taken or not. Don’t make it complicated, though—remember, these reports need to be short and easily digested. So for risk scoring, consider using color-coded threat or vulnerability levels; for example, green for “safe,” yellow for “moderate risk,” orange for “high risk” and red for “severe risk.” A quick glance at this type of color-coded summary tells the CEO if immediate action needs to be taken.
A final piece of advice about these security briefings: archive them. A year should be sufficient, and going through them can reveal patterns of issues raised that may need to be addressed or considered for future IT budgets.
Naturally, it’s important to get an accurate assessment of current threats, one that’s free of internal politics and a fear of stigma if a briefing does indeed identify vulnerabilities. One approach is to work with a third-party expert who can assist with reports based on data that’s real time, or near real time, using instruments such as a threat level dashboard.
A cloud-based system that actively monitors actual security and HIPAA compliance levels throughout an organization’s IT environment gives healthcare leaders a current sense of the threat types that fall under the HIPAA domain and what steps are needed for remediation.
As for physical safeguards, many healthcare organizations are offloading PHI management and security to healthcare-specific security experts, who host this valuable data in facilities that are healthcare-fortified with stringent HIPAA security protocols. That leaves administrative safeguards, but here again, a healthcare cloud security expert can assist with recommending and developing policies and procedures for keeping PHI safe. Going forward, regular briefings will enable the CEO to make sure these measures are adhered to—and that the organization is staying ahead of the risks and fines.
About the Author
Chris Bowen is Chief Privacy and Security Officer and founder of ClearDATA.
Originally published November 15, 2016 by Health Data Management.