When Community Health Systems revealed it had been breached earlier this year, a spotlight was placed on cybersecurity in the healthcare industry, and the diagnosis was not good.
In that case, patient records for some 4.5 million people were exposed by hackers. The situation added Community Health Systems to the list of organizations impacted by security incidents, and sparked discussions about the importance of information sharing within the industry and between companies and the government.
Based on his experience consulting with healthcare organizations, Michael Wojcik, senior manager with Ernst & Young, noticed patterns among organizations that contribute to security failings, and at the (ISC)2 Security Congress in Atlanta this week outlined the five most common security mistakes healthcare organizations make.
Perhaps not surprisingly, understanding and managing risk is critical, and failing to do both are numbers one and two on Wojcik’s list of missteps. Organizations sometimes mistake control assessments for risk assessments, he explained in an interview with SecurityWeek. A gap in a control is a vulnerability; risk assessments are about events that could occur, and need to be explained in business terms as opposed technical terms.
The failure to communicate actual risk can hinder the ability of IT departments to get the resources they need to secure the business, he said.
“If I have a breach,” he explained, “how much is it going to cost the organization? How much reputational damage am I going to get?”
Once the risks are understood, they must be managed. While that could mean taking steps to address them, it could also mean simply accepting certain risks according to the risk-tolerance of the organization, Wojcik said. The appetite each business has for risk can be highly individual, and may be dependent upon the size of the organization and their financial resources, he said.
It is also important for organizations to properly categorize their assets. Many organizations don’t have a good handle on where all the sensitive information in their organization is, he said. Not all systems on the network are created equal, as some may have more critical information than others.
“You need to protect the bigger, high-value assets differently and more because those are the kind of breaches that will cost you dearly both financially and reputationally, and potentially you can risk patient safety,” he said.
Mistakes four and five are closely related. Organizations often don’t develop objective control standards, and many times don’t use a control framework that is more prescriptive than HIPAA [Health Insurance Portability and Accountability Act], he said.
While HIPAA specifies the need for information system activity reviews, it does not specify how often or what activities should be looked at. Those types of details need to be documented in control standards, he told SecurityWeek.
“I think HIPAA was a good thing for the industry because it got them thinking about security and actually doing something with security,” he said. “But right now what it has done on the negative side, it’s created a culture of compliance…so it’s more a compliance-based mindset versus a security-based mindset. I think that it’s changing especially over the past six months to a year, where companies are seeing that the compliance aspects are important, but the compliance should be proven by your security and not vice versa.”
