A thorough risk assessment is prudent for any organization, but is particularly essential for companies in the healthcare industry. Protecting patient data is important, and failing to have robust security measures can shut down facilities and have life-or-death ramifications.
However, implementing industry-standard cybersecurity practices can inhibit clinicians’ work, also leading to life-and-death consequences. For example, systems that prevent log-ins if clinicians are logged in elsewhere can interrupt or delay surgeries. That is why I feel that cybersecurity professionals should spend quality time with their healthcare clients, conducting in-depth interviews and visiting their workplaces, to develop cybersecurity measures that balance clinicians’ vital workflow operations with security and patient privacy.
Three Critical Issues in Healthcare Cybersecurity
In working with healthcare clients on their cybersecurity practices, I consistently see three pressing security issues:
Risk management. Most healthcare organizations haven’t conducted an effective risk assessment, so they don’t know what they should be doing, what order it should be done in, or how much of it to do. So they may spend their cybersecurity budgets trying to protect the wrong things.Awareness. Every security risk comes down to people: poorly written software, misconfigured firewalls and clicking email links (phishing) are all examples. Those responsible for security admit that people are their biggest risk, but still do little about it.Incident response. Most healthcare organizations are not equipped to deal with small incidents, let alone major breaches. I’ve also seen them overlook the legal, compliance, communications and other aspects of response that compound losses.
The Healthcare Assessment
The complexities inherent in healthcare – from federal regulations to the on-the-spot decisions clinicians make – means that healthcare companies require more tailored risk assessments than other organizations. That’s why I’d recommend a special HIPAA Risk Assessment to help achieve both compliance and effective cybersecurity. Here’s how this assessment differs from assessments I’ve done in other industries:
A combined assessment and audit. At my firm, we often directly observe controls rather than just use interviews. For example, shadowing employees to observe both their work and the security protocols they follow. We also ensure that it’s explicitly standards-based, as the federal government requires that risk assessments be conducted to detailed standards.A “backwards” review. Identify strengths rather than only point out deficiencies. Personally, we dig up as much evidence as possible to prove our clients are doing the right things, which is important if they come under fire with a complaint or breach. Many healthcare organizations don’t have a HIPAA Security Officer (HSO) who would be accountable for HIPAA-related violations (and the keeper of evidence in the event of a breach). That can leave it in IT’s hands. For healthcare organizations, I’d suggest shoring up internal expertise that can discover valuable evidence of compliance.
Customizing Sensible Security
Effective cybersecurity protocols should balance security with the needs particular to healthcare. The best cybersecurity controls are invisible. Cybersecurity was always intended to support the business — so cybersecurity in this space is about figuring out how to let healthcare specialists do what they need to do safely and securely.
For example, healthcare personnel often engage “workarounds” to security measures that hinder their work, such as sharing passwords so several co-workers can read the same patient charts.
And I can’t blame them. The security industry hasn’t made this easy or intuitive. Passwords are a great example of an authentication control that is either completely deficient or way overboard. Strong passwords aren’t effective if they’re posted on sticky notes and left on computer monitors. The same goes with writing down passwords that expire monthly. Things like biometrics and two-step verification are changing the way we think about passwords, but it comes down to specific risks on specific devices in specific work areas.