Healthcare Cybersecurity – “Building an IT Security & Awareness Culture”

Health Tech Magazines March 30, 2022March 30, 2022 HIPAA compliant, patient data

By Brian A. Shea, CIO, MedOne Hospital Physicians

I have been in healthcare IT for over half of my almost 30 years in IT. Healthcare definitely has its uniqueness compared to other industries; however, it is not unique in the fact that everything can be broken down into three key areas: people, process and technology. Cybersecurity will always be a moving target for organizations, especially healthcare. I believe that the most important thing within any organization is building an IT security and awareness culture. I have stated throughout my career that security is not something that you can simply turn on/off—it needs to be a part of every individual and organization’s DNA.

The overall objectives in building an IT security and awareness culture in healthcare comes down to three things:

1. Protecting patient, company and employee data
2. Continual risk mitigation
3. Regulatory compliance

Threats

Threats come from all sorts of directions, including everything from foreign countries, organized crime, employees, vendors, terrorists, etc. The majority of threats are primarily about financial gain or causing disruption or both. The unfortunate thing is that most threats are initiated through employees (people) who inadvertently open or click on something they shouldn’t have. People are your biggest weakness within any organization.

Technology

I’m not going to spend a lot of time on any specific IT security technology. It is critical that your organization is continually evaluating and implementing a solid IT Security Technology Stack. I believe it starts with developing a Security Scorecard against current IT security best practices. You can use the Scorecard to help build your plan of attack or strategy for continued risk mitigation. The Scorecard would include everything from Endpoint Protection and Multifactor Authentication (MFA), to Data Loss Prevention (DLP) and IT Security Awareness Training. There will always be new vulnerabilities that can be exploited accompanied by new security software that provides various protection. From my experience, it has always been about layering and finding the balance of what is “good enough” without breaking the bank. Technology is critical in taking decision points out of individuals’ hands. Simply put, you need a solid IT Security Technology Stack that attempts to provide visibility or prevent the bad things from ever happening; and if something does bad happen, allows you to minimize the damage and ultimately recover from an incident.

In healthcare, there is a lot of regulatory compliance, which does provide organizations the needed push to implement formal processes and procedures when it comes to protecting things such as PHI/PII.

Process & People

Technology is accessible compared to the process and people aspect of building an IT security awareness culture. As mentioned in the beginning, security needs to be a part of your organization’s DNA. What does that mean? It means that it has to become automatic or baked in. You want people to have an awareness and ask questions. If they are unsure of something, they need to err on the side of caution. It is important that an organization create an ongoing IT Security and Awareness Program. This includes not only providing the initial tools and knowledge when employees start working for your organization, but over the entire relationship. This should again be a layered approach, i.e., security awareness emails and training videos, etc. The frequency can vary, but one approach I have seen work is having things that are weekly, monthly and annually. You need the content to be meaningful and not just noise that individuals gloss over or ignore. Leadership needs to champion the importance of IT security to all levels of the organization—no one is above or exempt from learning. Many security incidents occur because people are moving too fast. This can be as simple as someone reviewing or opening an email message to a system administrator, forgetting to patch or make the needed security configurations when implementing changes into production. I use this saying: “You need to slowdown to move fast.” I know that sounds crazy, but it’s really about making sure that we are all being observant and making thoughtful choices and decisions no matter what we are working on.

Some key processes an organization needs to have in place to consider bricks and mortar-type things, include assuring all systems are being patched/updated, assuring all systems have end-point protection and are being updated, assuring backups are being completed and tested, and enabling Multifactor Authentication (MFA). A lot of these will be identified on your IT Security Scorecard mentioned previously. In my opinion, if you are not doing the basics, then you are setting yourself up for failure.

In healthcare, there is a lot of regulatory compliance, which does provide organizations the needed push to implement formal processes and procedures when it comes to protecting things such as PHI/PII. It’s important to find a healthy balance between regulatory requirements and operating efficiencies. Sometimes the more you over-engineer something, the more risks are introduced. Again, you need to educate individuals that just because you can do something doesn’t mean you should do something.

It is important as part of the process to create an environment that is more educational than punishment. There is a difference between someone making a mistake and being reckless. Yes, if there is a trend of poor judgment, it needs to be addressed. Building this type of culture increases individuals to ask more questions around security/risk without fear of embarrassment or retribution.

There is no perfect or one-size-fits-all when building an IT security and awareness culture within your organization. The important thing to remember is it’s something that does require ongoing focus and dedication from everyone.