Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

5 Common Security Mistakes Healthcare Organizations Make

When Community Health Systems revealed it had been breached earlier this year, a spotlight was placed on cybersecurity in the healthcare industry, and the diagnosis was not good.

When Community Health Systems revealed it had been breached earlier this year, a spotlight was placed on cybersecurity in the healthcare industry, and the diagnosis was not good.

In that case, patient records for some 4.5 million people were exposed by hackers. The situation added Community Health Systems to the list of organizations impacted by security incidents, and sparked discussions about the importance of information sharing within the industry and between companies and the government.

Based on his experience consulting with healthcare organizations, Michael Wojcik, senior manager with Ernst & Young, noticed patterns among organizations that contribute to security failings, and at the (ISC)2 Security Congress in Atlanta this week outlined the five most common security mistakes healthcare organizations make.

Perhaps not surprisingly, understanding and managing risk is critical, and failing to do both are numbers one and two on Wojcik’s list of missteps. Organizations sometimes mistake control assessments for risk assessments, he explained in an interview with SecurityWeek. A gap in a control is a vulnerability; risk assessments are about events that could occur, and need to be explained in business terms as opposed technical terms.

The failure to communicate actual risk can hinder the ability of IT departments to get the resources they need to secure the business, he said.

Advertisement. Scroll to continue reading.

“If I have a breach,” he explained, “how much is it going to cost the organization? How much reputational damage am I going to get?”

Once the risks are understood, they must be managed. While that could mean taking steps to address them, it could also mean simply accepting certain risks according to the risk-tolerance of the organization, Wojcik said. The appetite each business has for risk can be highly individual, and may be dependent upon the size of the organization and their financial resources, he said.

It is also important for organizations to properly categorize their assets. Many organizations don’t have a good handle on where all the sensitive information in their organization is, he said. Not all systems on the network are created equal, as some may have more critical information than others.

“You need to protect the bigger, high-value assets differently and more because those are the kind of breaches that will cost you dearly both financially and reputationally, and potentially you can risk patient safety,” he said.

Mistakes four and five are closely related. Organizations often don’t develop objective control standards, and many times don’t use a control framework that is more prescriptive than HIPAA [Health Insurance Portability and Accountability Act], he said.

While HIPAA specifies the need for information system activity reviews, it does not specify how often or what activities should be looked at. Those types of details need to be documented in control standards, he told SecurityWeek.

 “I think HIPAA was a good thing for the industry because it got them thinking about security and actually doing something with security,” he said. “But right now what it has done on the negative side, it’s created a culture of compliance…so it’s more a compliance-based mindset versus a security-based mindset. I think that it’s changing especially over the past six months to a year, where companies are seeing that the compliance aspects are important, but the compliance should be proven by your security and not vice versa.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.