Hacker Attacks: InfoSec Strategy ImpactExpert Offers Risk Management Insights
A critical step that more healthcare organizations must take to improve their information security programs is to prepare for the changing threat landscape, especially hacker attacks, advises security expert Tom Walsh.
"There are constantly new things coming up that we have to address, and so the best way to stay on top of this is to always be looking at ... your threat profile - what's changing," says Walsh, founder of the consulting firm tw-Security. His comments came in an interview with Information Security Management Group to discuss findings of the recently conducted 2015 Healthcare Information Security Today survey. In the coming weeks, ISMG will offer a webinar and a detailed report on the survey, sponsored by Caradigm, (ISC)Â² and ZixCorp.
ISMG's fourth annual survey of information security leaders at hospitals, clinics, integrated delivery systems and health plans found that the No. 1 emerging cyberthreat that healthcare entities are worried about in 2015 is hacker attacks. Indeed, two recent health data mega-breaches involved hackers: the attacks against health plan Anthem Inc., which affected 78.8 million current and former members, and Premera Blue Cross, which impacted 11 million.
"Today hacking has evolved to where it's organized crime and nation-states," he says. "It's becoming a real concern for healthcare organizations."
Walsh says the evolving threat landscape needs to be addressed in organizations' risk assessments and their risk mitigation strategies.
Conducting a risk analysis is vital "so you know where you're most vulnerable and what you need to do to address it," Walsh says. "And I think it goes beyond just looking at policies and procedures. It's that evaluation of your technical safeguards and controls as well, and sometimes that requires bringing in the expertise to run scanning or penetration tests to see where you're vulnerable."
Plotting a Roadmap
The survey found that 60 percent of participating organizations have a documented information security strategy, while about 30 percent say they're working on one and 9 percent don't have one. Walsh says failure to develop a formal information security strategy is dangerous in the current risk environment.
"It's the roadmap. It's laying the foundation, the groundwork as far as where the security program will be going in the immediate future as well as further out," Walsh notes. "What I'm finding is that, more and more, information security is actually becoming a topic for ... the board of trustees. They want to know, 'what's the plan?' You've got to have a roadmap and know where you're going."
In the interview, Walsh also discusses:
- Why many healthcare organizations need to improve their information security awareness and training programs for staff;
- Why organizations need use stronger authentication methods for those accessing patient data;
- Challenges involved in achieving secure electronic health record interoperability.
Walsh is founder and president of tw-Security, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He has more than 22 years of information security experience. Walsh is also a frequent speaker at healthcare industry events and is the author of four books on healthcare information security. During HIMSS15 in Chicago, Walsh will be hosting an all-day workshop, Navigating the Practical and Legal Aspects of HIPAA on Sun. April 12 in room W190A at the McCormick Place convention center.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.