Data breaches will continue to plague the healthcare sector until the security mindset among senior leadership radically changes, says security and privacy expert Kate Borten, a former healthcare CISO.
"Security is not a business imperative for most healthcare provider organizations today," says Borten, founder and president of privacy and security consulting firm, The Marblehead Group. "It's an issue of governance leadership, resources and budget."
Those same issues were also highlighted in a recent report issued by a cyber task force advising the Department of Health and Human Services, she notes.
"As the task force report pointed out, a chronic problem is that many healthcare organizations are running on what they refer to as a very thin budget," Borten says in an interview with Information Security Media Group.
"When your main product is patient care, you're going to be focusing on ... nurse staffing - and security is going to take a back seat. There are going to be few people in the organization saying: 'We need to lay off some nurses so that we can hire more security people'."
The healthcare sector is making inadequate progress toward implementing robust, mature information security programs, Borten contends.
"When it comes to [defending against] ransomware and big breaches, it continues to be a question of having a robust security program that is consistently patching, applying updates," she says.
In the interview (see audio link below photo), Borten also discusses:
- The recommendations made by the HHS task force for how the healthcare industry can improve its approach to cybersecurity;
- Alarming patient privacy mistakes healthcare staff and executives make;
- Why medical device security is such a headache for healthcare provider organizations.
Before founding The Marblehead Group, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its CISO.