Homeland Security has tip for healthcare
Data breaches and cybersecurity threats in healthcare are going to happen. It's virtually unavoidable. What can be avoidable, however, are the messy consequences of substandard risk assessment strategies and inadequate threat response.
Department of Homeland Security's Jason Gates, an analyst in the industry, engagement and resilience branch within the Office of Cybersecurity and Communications, spoke at a virtual event Thursday about how healthcare organizations can work to mitigate the effects of a cybersecurity attack and lessen the risk of actually having one.
[See also: VA remains one of top privacy offenders.]
The take-home message? "Risk management never ends," he said. "New cyber threats, vulnerabilities and consequences require the constant modification of risk management strategy."
And this strategy proves necessary at every level of a healthcare organization, he said, including assets, facilities, IT systems, security and legal teams. If these strategies are implemented and maintained properly, and staff are trained appropriately, it can help avoid a whole lot of drama.
Some 94 percent of healthcare organizations have reported at least one HIPAA breach, according to a 2012 study from the Ponemon Institute. But 52 percent of those breaches were found during an audit or an assessment, Gates noted. So it's worth being pro-active.
Gates suggested healthcare organizations follow a five-step cybersecurity risk approach that the DHS uses on a national level, the cybersecurity assessment and risk management approach, or CARMA.
The first step of CARMA is discovering the scope of your planned cyber risk management activity. In other words, asking the right questions. Who and what will be involved -- single assets or departments?
"Have you identified the right people from each department?" asked Gates. You'll need representatives from IT, clinical and other departments.
The second step involves identifying the cyber infrastructure that supports the sector's critical function. So this includes electronic information and communication system, hardware, software that processes, stores and communicates information.
Three types of cyber infrastructure, said Gates, are business systems, control systems and access controls.
Then it's onto conducting a cyber risk assessments. This involves identifying threats and vulnerabilities, and documenting any risk management that your group currently has in place.
Next, healthcare groups should evaluate risk response actions, prioritize them and then develop a cyber risk strategy.
Then, lastly, you have to implement the strategy. But, often times it's not so successful, as the communication piece is left out of the equation. All employees have to be aware of the new strategy. Healthcare groups will also have to determine how often the strategy will be updated. Is is when a cyber incident occurs? Will it be annually?
Risk management is not something to be taken lightly, said Gates. "Cyber incidents continue to increase as healthcare organizations incorporate technology in their work stream."