Healthcare Security Survey: A BenchmarkSymantec's Health IT Officer Weighs in on ISMG Study
I've just had a look at a report on the results of Information Security Media Group's Healthcare Information Security Today Survey.
In an age of "innovation" where we are told to "reframe" every problem and not just to "think outside of the box" but "think like there is no box," it is good to know where you are and what is done or what isn't done. Knowing where you are makes it easier to get where you need to be.
It isn't that pretty, but now we know where to go and what we must do.
The results of this survey tell us where we are as an industry. It isn't that pretty, but now we know where to go and what we must do.
It starts with the Hot Topics - hot, but probably not new to you if you're even aware of healthcare information security: 1) breach prevention; 2) encryption and authentication; 3) risk assessments; 4) security priorities & investments; 5) BYOD, and; 6) cloud computing.
Here are a couple of things that I've been describing for several years now as "no-brainers": Encryption and DLP. How do you decide what is the right protection if you don't know what data is where or who is using it and where it came from and may be going? And guess what? DLP is the No. 2 tool that respondents plan to invest in next year, a close second to audit tool/log management.
Encryption? Survey respondents mentioned it most often as the one factor that would most improve information security at their organization. So, why are we still talking about it? It provides a safe harbor from breach notification, and it is the safest, cheapest, easiest way to deal with mobile media (jump drives, laptops, backup tapes). Go to the federal government's "wall of shame" list of major health data breaches and see how many breaches never would have happened if this "no-brainer" had been in place.
And if you aren't going to encrypt the data, then at least make sure only the right people are getting to the data. Authentication is coming on strong, and that is due, in part to "patient engagement" and the ever-popular e-prescribing for controlled substances. Not to mention other fun things like health information exchange (the verb and noun). Every time data changes hands, there is a chance it leaks, gets lost or falls into the wrong hands. That's why we must protect the handoffs of data at the people, process and technology levels.
Risk Assessments? Remember those things we were supposed to start doing, oh, when was it, 2005? The survey shows only 8 percent of respondents haven't done an assessment yet, down from 26 percent last year. But what about that ongoing risk management process? Nearly one-third haven't updated their risk assessment in the past year - and that means their assessment is out of date because, surely, something in their environment has changed.
What about BYOD and mobility concerns? We know from this survey that a majority of organizations allow clinicians to use personal mobile devices for work-related purposes. And fully a third of respondents expect to invest in a mobile device management system next year. Please, everyone, don't forget the policy and procedure you'll need before you turn on tools.
The best news I saw in here was that 73 percent of respondents said they were stepping up training on privacy and security issues - ranking as the No. 1 step to help prevent data breaches. When the director of the HHS Office for Civil Rights, which enforces HIPAA, and the privacy officer at the HHS Office of the National Coordinator for Health IT talk about the need to build a "culture of compliance" or a "culture of privacy," they are really talking about people. So training is a great top priority - the absolutely right top priority.
Some other good news: 86 percent report that they either have a documented information security strategy or are working on one. That, unfortunately, still leaves 14 percent with ... well, a null set.
Everyone involved in healthcare information security should take a good look at this survey. It could be a tool for educating staff beyond the IT department. It could be an industry benchmark that makes you and your management feel good about what you've done (and sleep a little better at night). Or not. Worst case, it is going to tell you what you haven't done that most of your peers are already doing so you can figure out if that needs to be your direction as well.
This survey helps tell you where you are. That will make it easier for you to get to where you need to be.
David Finn, CISA, CISM, CRISC is the health information technology officer for Symantec. He previously was CIO and vice president of information services at Texas Children's Hospital, where he also served as the privacy and security officer.