Security: 'What Are We Missing?'Experts Identify Most Overlooked Security Steps
Healthcare organizations need to make sure they don't overlook free resources they can use when conducting a risk assessment. They also need to avoid overlooking a number of important security measures, according to speakers at a Feb. 20 workshop at the Healthcare Information and Management Systems Society Conference in Las Vegas.
HIMSS recently produced a free risk assessment toolkit, says Lisa Gallagher, senior director of privacy and security at HIMSS.
Also, the National Institute of Standards and Technology offers Special Publication 800-30, Risk Management Guide for Technology Systems, which provides useful insights, says Tom Walsh, president of Tom Walsh Consulting. NIST also has a draft of an updated version, NIST 800 30 Rev 1, Guide for Conducting Risk Assessments.
Other Security Tips
At the workshop, other advice offered on security measures that are often overlooked includes:
- Organizations must go beyond a risk assessment and complete a business impact analysis, says Terrell Herzig, data security officer at UAB Health System. "Risk assessments assess the likelihood of a given threat and not its direct impact on business operations," he says. "Without a business impact analysis, an organization runs the risk of underestimating the resources required to respond to an event," such as a natural disaster, he adds.
- Risk management must include a mobile security policy. "Too many organizations are deploying mobile devices before they have policies in place for dealing with them," Gallagher says. If more organizations had policies in place limiting data stored on the devices and requiring encryption, the number of breaches "would come down significantly," she says.
- System administrator passwords should be changed just as often as user passwords, Walsh stresses. Too often administrator passwords are changed only when someone leaves, he adds.
- Organizations must have a procedure in place to make it easy for staff members to contact security staff to request that unused hard drives, CDs and other storage media be promptly destroyed, Herzig says.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.