Security cannot be bought
ORLANDO - Security is not something that can be bought. It’s a mindset and program within an organization that keeps systems secure.
However, for Mitch Parker, executive director of Information Security and Compliance for Indiana University Health, a big challenge is many executives don’t see it that way.
“Many healthcare organizations continue to approach security the way it always has,” Parker said. “As a result, many struggle with budget to afford the needed changes.”
What really needs to happen is a risk assessment, to shed light on systems in a subtle way.
“Risk assessments are more than checked boxes,” Parker said. It should include evaluating dependencies within an organization and determine the role of each department.
Security can’t function unless it’s part of IT strategy, Parker explained. And if a department can’t tie back into the organization’s security strategy, it’s not being effective.
To accomplish this, organizations need to put together a communication plan that focuses on activities to share that strategy - like a designated person to talk to patients and explain how the efforts are executed, he added.
Further, compliance can’t be bought. Outside consultants won’t understand consumers the way your organization does, Parker explained. And without corporate involvement, if the consultant leaves “all that’s left are “a lot of nice PowerPoint Slides.”
“It’s more important to build a program, than to try to buy compliance,” Parker said.
When Parker talks with senior leadership about security, especially those in chief council, he discusses the reason for the breach in the first place - like process failures, trends others are seeing and security reports.
It helps to put security in perspective by synchronizing five key groups: customers; enterprise architects; legal/contracting/compliance; supply chain; and enterprise risk/scoring. Parker explained this helps demonstrate to executives that you’re working with teams internally to design and develop systems correctly.
Further, it’s important for executives to understand: “IT is not that bucket that can handle all those expenses and it flexible enough to do so,” Parker said.
Parker’s presentation, “Healthcare Cybersecurity Transformation for Your Organization,” was part of HIMSS17’s Cybersecurity Forum on Sunday.
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.