Specialist insurer Beazley reports that in the first nine months of 2017, unintended disclosures accounted for 41 percent of healthcare data breach incidents. The high level of unintended disclosure incidents remains more than double that of the second most frequent cause of loss—hack or malware (19 percent), according to the Beazley report.
At Texas Health Resources, Mehring says security leaders utilize sophisticated IT monitoring systems, such as behavioral analytics, to detect anomalous behavior as well as continuous auditing and monitoring of protected health information (PHI) within the electronic health record (EHR) and data loss prevention technologies.
There are also non-technical processes and programs that should be used, Mehring points out, such as a hotline that employees can use to report anomalous behavior. “You need a good hotline that allows the reporting of things, and from that hotline, you need to make sure the information is acted upon and communicated to the right department, whether its HR or it’s the legal or security team,” he says.
At a high level, Mehring says it’s critical that the CISO have strong relationships with human resources and compliance leaders within the organization to develop processes and policies to identify and address insider threat actions. “From a policy perspective, it’s about who is going to own the policy for that type of data and who sets the rules?” A transparent sanctioning program also is key so employees are aware that activities are being monitored. “Employees need to know that there is a process in place for accountability when something is inappropriately accessed or inappropriately shared,” he says.
Medical IoT and Cybersecurity
For many hospital and health system CISOs, the governance of medical device programs is the next frontier in IT security. Healthcare provider organizations are now managing an increasing number of digitally connected devices, and, as more devices come online, the cybersecurity risk increases and intensifies in complexity.
“I think most of us are still coming to terms with how we characterize IoT. Is a medical device an IoT, is a refrigerator that stores blood an IoT? Is a monitor that is displaying our marketing information in our hospital, is that IoT? If somebody gets a wearable, is that an IoT? And the answer to that is probably, yes, to all of that in some way,” Mehring says.
A critical, foundational step to managing medical devices is developing a comprehensive inventory and asset identification of all digitally connected devices within an organization, he notes. “Then you have to start developing at least some internal rules of how we characterize those types of IoT things and make sure we can differentiate between those different asset types because they are going to get different protection profiles. A medical device is going to get a different protection profile than a monitor on the wall in a hospital passageway that’s providing branding information,” he notes.
Understanding how various medical devices communicate, both inside and outside the hospital environment, also is a vital step in maintaining and protecting devices. “Developing good data flow mapping and understanding the way that devices communicate is very important. That allows you to put in better protection mechanisms once you understand how things communicate with each other. You can ensure that the appropriate communication security strategy is put in place around those devices,” Mehring says.
At THR, health system C-suite leaders have long been aware that cybersecurity is not just an IT problem, but a corporate-wide risk management issue, and one that requires an evolving, strategic approach to address the changing threat environment.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.