Written by Kurt Hagerman, CISO, Armor
With the inherent complexities of the healthcare environment, as well as corresponding compliance requirements, organizations are seeking strategies to streamline efforts without compromising data security. Although strides have been made, healthcare is still in catch-up mode with other industries in terms of cybersecurity. Ground can be gained, however, by applying familiar clinical risk management principles to data protection that can be ready-made to achieve HIPAA compliance. Since healthcare has always been astute at identifying and managing risk in the clinical setting, aligning this thinking with a security posture will help provide a similar level of protection to sensitive data.
With a trove of financial and personal information coveted by criminals, healthcare organizations must not only comply with regulations but also allocate resources to cybersecurity that will make the process consistent and repeatable. Introducing tools such as HITRUST CSF Version 8 goes a long way in supporting cybersecurity, along with AICPA SOC2 reporting, contextual data de-identification, cloud services, and meeting expanded requirement details.
By rethinking cybersecurity and applying proven risk management techniques, organizations are better suited to face the challenges cybercriminals present. Healthcare organizations have a keen awareness of keeping patients safe in the physical environment, but from a digital perspective, many forces have aligned to make this a more challenging task.
Because of the prolific and diverse nature of threats and vulnerabilities due to the dramatic increase in the number of connected devices, healthcare organizations are spending enormous amounts of money to stop cyberattacks and achieve compliance. In addition, legacy infrastructure and devices were not designed with security in mind.
This is particularly concerning as healthcare data has far greater long-term value that does not diminish over time, as opposed to credit card or other financial information. Healthcare data is not as frequently reviewed by users, and as a result, can be compromised and exploited for a far greater duration of time before measures are taken to stop its abuse.
Compliance standards must be complemented by a commitment to sound risk management to identify, respond to and ultimately protect against threats. The combination of regulatory compliance and traditional risk management in terms of cybersecurity can help proactively prepare for cyberattacks and mitigate threats against sensitive information to protect the organization and reduce liability.
In short, applying traditional clinical risk management principles to the cybersecurity environment can bring a new perspective to proactively anticipating and mitigating threats.
The time is now for healthcare providers to change their cybersecurity approach and transition from a reactionary mitigation response to a proactive position that prioritizes challenges. Organizations will then be able to work more effectively to not only ensure compliance but also place the protection of patients and the institution first and foremost.
Kurt Hagerman serves as CISO for Armor and is responsible for the governance, risk and compliance aspect of the security mission for both corporate and customer-facing products. To learn more, visit www.armor.com.