Defending Against Health Data HacksRisk Management Expert Discusses Common Mistakes
With the healthcare sector becoming a growing target for cybercriminals, it's critical that organizations implement information security management practices that go far beyond a focus on HIPAA compliance. Yet, one of the biggest mistakes many healthcare entities continue to make in protecting patient information from cybercrime is taking a compliance-centric approach to information security, says Kenneth Peterson, CEO of risk management consulting firm Churchill & Harriman.
"With the ever-changing threat landscape, they should be approaching it from a risk management perspective," he says. Many organizations in healthcare and other industries also frequently overlook third-party risk, he says. For example, a vendor was the entry point for hackers in the high-profile Target breach a year ago, he points out.
"Unless you shore up your information security programs through the third-party risk element of that program, you are missing the boat," he says.
Another mistake being made when it comes to healthcare organizations and their business associates is not involving the right people at the table from the outset of the risk assessment process. "From the beginning, the assessment is not set up for success, but at best, set up for partial success."
In the meantime, being better prepared to defend against cybercrime will only become more challenging in 2015 as hacking attacks become more common, he says. And when it comes to patient information, "Social Security numbers are the single most valuable data that hackers are after," he adds.
In the interview, Peterson also discusses:
- Common risk management mistakes that covered entities make, including neglecting to use repeatable and auditable tools;
- The importance of "layered" security controls;
- Cybersecurity intelligence and information-sharing trends in the healthcare sector and other industries.
Peterson has more than 30 years of experience developing and implementing enterprise risk management and human resources consulting solutions. He founded Churchill & Harriman in 1986 to develop and implement enterprise risk management and third-party risk management solutions for large enterprises. The company helps clients select and implement controls, processes and tools that identify, measure and manage enterprise risk.