Health Data Protection: Overlooked StepsSummit Speaker on Avoiding Strategic Blunders
Healthcare organizations need to guard against focusing solely on technology when devising their data protection strategies and make sure they don't overlook other critical steps, including ensuring physical security and testing information security policies, says privacy and security expert Kate Borten.
"There's a tendency for organizations that feel under pressure or on the hot seat to look too narrowly - for instance to look just at technology. But in fact ... anyone involved with an information security program understands that there are a gazillion strategies, controls and safeguards to protect data," Borten says in an interview with Information Security Media Group.
"There is nowhere near a single silver bullet. So there are certainly things that every organization in the country can be probably doing better to protect data," says Borten, who will be a featured speaker at ISMG's inaugural Healthcare Information Security summit in Boston on June 11.
In addition to implementing the right technologies and addressing physical security, organizations need to develop the right administrative controls, the consultant notes. Organizations need to have comprehensive security processes in place. "And that doesn't mean just the written policy or written procedure," she says. "That means lots of evidence that you're following those policies with lots of processes in place."
Borten also notes that too many organizations, especially smaller ones, still have insufficient security resources. "It's still far too common to see a CIO or a network systems person being dubbed the 'security officer' with little specific background in information security, and already [being] maxed out time-wise. I encounter this very often, and it's very frustrating to the people in that position because they know there is so much more they should be doing, and they just can't get to it."
In the interview, Borten also discusses:
- Data security protection measures that are most often overlooked by business associates;
- The essential data protection steps that covered entities should demand in their business association agreements with vendors;
- The measures that covered entities and business associates should adopt or bolster in light of the recent string of major hacking attacks in the healthcare sector, as well as the data breach at the U.S. Office of Personnel Management.
Before founding The Marblehead Group in 1999, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its chief information security officer.
For a complete agenda, and registration information, visit our summit website.