• Home

  • Documents

  • FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN …€¦ · reputation and result in millions of...
3
Data breaches, malware and other security hacks are on the rise across healthcare organizations. Happening in parallel is the adoption of new technology like the cloud, artificial intelligence, and patient engagement tools that seek to increase efficiency, improve data accessibility and drive down cost. While these advancements offer many benefits, if appropriate security measures aren’t established from the start, they leave healthcare organizations vulnerable to cyberattacks that expose patient data, impact an organization’s brand reputation and result in millions of dollars in losses, essentially eliminating all potential cost savings these technologies promise. Instead of simply reacting to these cybersecurity threats, take a proactive approach by applying findings from your security risk analysis to the creation of a comprehensive security management program that mitigates risk and addresses vulnerabilities before they are exploited. Build Your Program Off the Analysis While a security risk analysis is a federal requirement for a number of compliance areas such as Health Insurance Portability and Accountability Act (HIPAA) or Federal Information Security Modernization Act (FISMA), it can be foundational in mitigating cybersecurity attacks regardless of compliance mandates. However, they’re only as valuable as what you put in. Simply checking the boxes on the assessment doesn’t make your healthcare organization any more secure, nor does creating information security management policies that align to the analysis but doing little to enforce them. A thorough analysis that covers your entire organization and all areas of information management and enabling technologies will identify where vulnerabilities lie and their degree of severity. This gives you a clear picture of what needs to be improved and how quickly you need to react, which can be incorporated into an information security management program. Just like it’s critical to do something with your security risk analysis results, the same is true with the framework for your program. You must use it as a platform to address gaps and vulnerabilities in your organization. This involves aligning policies, processes, technology and people. FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN INFORMATION SECURITY MANAGEMENT PROGRAM By Chandragupta Gudena, Merritt Neale and Mike Seiser

FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN …€¦ · reputation and result in millions of dollars in losses, essentially eliminating all potential cost savings these technologies

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN …€¦ · reputation and result in millions of dollars in losses, essentially eliminating all potential cost savings these technologies

Data breaches, malware and other security hacks are on the rise across healthcare organizations. Happening in parallel is the adoption of new technology like the cloud, artificial intelligence, and patient engagement tools that seek to increase efficiency, improve data accessibility and drive down cost. While these advancements offer many benefits, if appropriate security measures aren’t established from the start, they leave healthcare organizations vulnerable to cyberattacks that expose patient data, impact an organization’s brand reputation and result in millions of dollars in losses, essentially eliminating all potential cost savings these technologies promise.

Instead of simply reacting to these cybersecurity threats, take a proactive approach by applying findings from your security risk analysis to the creation of a comprehensive security management program that mitigates risk and addresses vulnerabilities before they are exploited.

Build Your Program Off the AnalysisWhile a security risk analysis is a federal requirement for a number of compliance areas such as Health Insurance Portability and Accountability Act (HIPAA) or Federal Information Security Modernization Act (FISMA), it can be foundational in mitigating cybersecurity attacks regardless of compliance mandates. However, they’re only as valuable as what you put in. Simply checking the boxes on the assessment doesn’t make your healthcare organization any more secure, nor does creating information security management policies that align to the analysis but doing little to enforce them.

A thorough analysis that covers your entire organization and all areas of information management and enabling technologies will identify where vulnerabilities lie and their degree of severity. This gives you a clear picture of what needs to be improved and how quickly you need to react, which can be incorporated into an information security management program. Just like it’s critical to do something with your security risk analysis results, the same is true with the framework for your program. You must use it as a platform to address gaps and vulnerabilities in your organization. This involves aligning policies, processes, technology and people.

FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN INFORMATION SECURITY MANAGEMENT PROGRAM By Chandragupta Gudena, Merritt Neale and Mike Seiser

http://searchhealthit.techtarget.com/definition/HIPAA
http://searchhealthit.techtarget.com/definition/HIPAA
https://www.gpo.gov/fdsys/search/pagedetails.action?collectionCode=PLAW&browsePath=113%2FPUBLIC%2F%5b200+-+299%5d&granuleId=&packageId=PLAW-113publ283
https://www.gpo.gov/fdsys/search/pagedetails.action?collectionCode=PLAW&browsePath=113%2FPUBLIC%2F%5b200+-+299%5d&granuleId=&packageId=PLAW-113publ283
Page 2: FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN …€¦ · reputation and result in millions of dollars in losses, essentially eliminating all potential cost savings these technologies

HURON | 2FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN INFORMATION SECURITY MANAGEMENT PROGRAM

As part of your security management program, consider the following:

• Don’t just write a policy, enforce it. Put policy measures in place and hold staff accountable to them. Many organizations have written policies, but they don’t enforce them. As a result, those in the organization have little incentive to follow them, leaving the organization at risk.

• Optimize your existing security technology investments. A common response to a security breach is an investment in cyber security technology. While technology is essential for mitigating a breach, it’s not the solution. For information and cyber security technology solutions to deliver on their promise, they must be well designed, well implemented and well established as part of a continuous improvement process, especially as organizations integrate new technologies and processes into the organization. To ensure this occurs put staff in roles where they are managing your technology-related risk otherwise these investments won’t have as much of an impact or benefit as they should.

• Empower your chief information security officer (CISO) with decision-making authority and align them to compliance: A CISO’s role sits at the intersection of IT security and risk management. This is vastly different than the role of a chief information officer who’s focused on getting new or changed IT services to customers cheaper and faster with ever increasing gains in technology efficiencies. And at times these roles don’t see eye to eye, especially when security protocols hinder process improvements or time to market. However, it’s common for a CISO to report to the CIO—making it difficult for a CISO to optimally perform their job. An alternative reporting approach is to more closely align a CISO with those responsible for compliance, regulations or enterprise risk management.

• Hire security analysts. Instead of having existing IT staff responsible for managing security technology and managing the information security management program, dedicate individuals strictly to audits, policies, procedures and managing your security program. This will allow them to focus on monitoring data

generated by technical controls and make sure security protocols (e.g. cyber and internal controls) are implemented correctly without having the added complexity of day-to-day security control operations.

• Engage physicians, nurses and staff in continuous improvements. Ensure that staff know why information management security policies and procedures are in place. By giving them a better understanding of why they’re required to perform certain security measures that may seem redundant or laborious you can instead gain buy in. At the same time, by listening to their feedback, you can identify areas of improvement.

Implement the ProgramAs you put your information security management program in place, take the following steps to drive sustainable results:

• Communicate results of your security risk analysis to leadership and the board to get funding. Share the results along with your plan to move forward with your leadership and board. Then request funding to make improvements just like you would do for funding for any other program. It’s important to emphasize that this is a continuous, long-term investment and it is separate from the funding of other technology-related projects.

• Communicate with your staff. Keep them closely engaged along your cyber security journey. Share the security risk analysis results, the framework that you’ve put in place, new initiatives that you’re launching to mitigate risk and seek their feedback. This will increase engagement around the policies you’ve put in place.

• Implement the program and seek continuous improvement. Once you’ve established a path forward, execute on it and periodically reassess progress. If new technologies are implemented, proactively address potential security gaps at the outset and address them during implementation. If compliance or other regulatory changes occur, quickly reassess and understand your gaps.

Page 3: FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN …€¦ · reputation and result in millions of dollars in losses, essentially eliminating all potential cost savings these technologies

HURON | 3FUTURE PROOF YOUR HEALTHCARE ORGANIZATION WITH AN INFORMATION SECURITY MANAGEMENT PROGRAM

As technology becomes more vital to managing healthcare operations and improving health outcomes, organizations cannot afford a hack or data breach. These security incidents are not only expensive to address, but they negatively impact your brand reputation. A comprehensive security management program should strike a delicate balance between mitigating risk and allowing people to do their jobs effectively. It should use your risk analysis as a critical foundation for building the program which will increase security at your organization today and propel your organization into the future.

huronconsultinggroup.com © 2018 Huron Consulting Group Inc. and affiliates. All rights reserved. Huron in a management consulting firm and not a CPA firm, and does not provide attest services, audits, or other engagements in accordance with standards established by the AICPA or auditing standards promulgated by the Public Company Accounting Oversight Board (“PCAOB”). Huron is not a law firm; it does not offer, and is not authorized to provide, legal advice or counseling in any jurisdiction. MU 180286

As you take a proactive approach to

information security and develop your security

management program:

THINK DIFFERENTLY. Prioritize breach prevention rather than

focusing solely on reactive cyber security

strategies.

PLAN DIFFERENTLY. Frame a security risk analysis as more than

just a box that must be checked, but as a

way of building a strong and mature security

foundation.

ACT DIFFERENTLY. Leverage a risk assessment framework, develop

a program and invest in people, process and

technology to establish an information security

management program that supports a strong

business today and future growth.

Key Takeaways


Eliminating Ice

Eliminating Ice

Documents
Table 1: The European Commission list · Dollars 5 15 Dollars 25 Dollars 50 Dollars 100 Dollars 150 Dollars 200 Dollars 250 Dollars 500 Dollars 1,000 Dollars 2,500 Dollars 3,000 Dollars

Table 1: The European Commission list · Dollars 5 15 Dollars 25 Dollars 50 Dollars 100 Dollars 150 Dollars 200 Dollars 250 Dollars 500 Dollars 1,000 Dollars 2,500 Dollars 3,000 Dollars

Documents
Eliminating Sentences

Eliminating Sentences

Documents
GEOG8260.10, Eliminating chartjunk

GEOG8260.10, Eliminating chartjunk

Education
ALTERNATIVES FOR REDUCING OR ELIMINATING COMPACT … · ALTERNATIVES FOR REDUCING OR ELIMINATING COMPACT OR ELIMINATING COMPACT CAR PARKING City Council Transportation and Environment

ALTERNATIVES FOR REDUCING OR ELIMINATING COMPACT … · ALTERNATIVES FOR REDUCING OR ELIMINATING COMPACT OR ELIMINATING COMPACT CAR PARKING City Council Transportation and Environment

Documents
Eliminating Hostile Environments

Eliminating Hostile Environments

Documents
Surgical Essentially

Surgical Essentially

Documents
North Carolina Eliminating Methicillin-Resistant Carolina Eliminating Methicillin-Resistant Staphylococcus aureus 1 ... (Heplock) used by hospital ... North Carolina Eliminating Methicillin-Resistant

North Carolina Eliminating Methicillin-Resistant Carolina Eliminating Methicillin-Resistant Staphylococcus aureus 1 ... (Heplock) used by hospital ... North Carolina Eliminating Methicillin-Resistant

Documents
Outcomes of California's Medicaid Cost-Containment ......essentially eliminating all elective services (Koetting and Olinger, 1984),2 . The cost-containment package also eliminated

Outcomes of California's Medicaid Cost-Containment ......essentially eliminating all elective services (Koetting and Olinger, 1984),2 . The cost-containment package also eliminated

Documents
Meet the most infl uential government marketing budget decision … · 2020. 7. 21. · MAXIMIZE your marketing dollars and time by eliminating numerous marketing prospect meetings

Meet the most infl uential government marketing budget decision … · 2020. 7. 21. · MAXIMIZE your marketing dollars and time by eliminating numerous marketing prospect meetings

Documents
Eliminating Authentication Pop- Ups in SAP Landscapesmprusov.narod.ru/sap/teched03/Eliminating... · Eliminating Authentication Pop-Ups in SAP Landscapes Cristina Buchholz, Patrick

Eliminating Authentication Pop- Ups in SAP Landscapesmprusov.narod.ru/sap/teched03/Eliminating... · Eliminating Authentication Pop-Ups in SAP Landscapes Cristina Buchholz, Patrick

Documents
Eliminating d Structure

Eliminating d Structure

Documents
Essentially Mortgages

Essentially Mortgages

Documents
Eliminating Disposable Plastics

Eliminating Disposable Plastics

Documents
2017-18 First Quarter Budget Report · budget and actual dollars expended at the end of the year. The FY2017-2018 First Quarter budget report essentially applies a similar factor

2017-18 First Quarter Budget Report · budget and actual dollars expended at the end of the year. The FY2017-2018 First Quarter budget report essentially applies a similar factor

Documents
Eliminating Entries

Eliminating Entries

Documents
Eliminating Dispartiei s in Schoo lDisciplineeducationnorthwest.org/sites/default/files/eliminating-disparities.pdf · Eliminating Dispartiei s in Schoo lDiscipline ... but because

Eliminating Dispartiei s in Schoo lDisciplineeducationnorthwest.org/sites/default/files/eliminating-disparities.pdf · Eliminating Dispartiei s in Schoo lDiscipline ... but because

Documents
Essentially Collingwood

Essentially Collingwood

Documents
Eliminating Personality

Eliminating Personality

Documents
eliminating child labour

eliminating child labour

Documents
50,000 dollars 100,000 dollars 1,000,000 dollars 500,000 dollars

50,000 dollars 100,000 dollars 1,000,000 dollars 500,000 dollars

Documents
INVESTMENTTAXATION INVESTMENT TAXATION. previously taxed dollars previously taxed dollars = dollars not taxed dollars not taxed on the sell, withdrawal

INVESTMENTTAXATION INVESTMENT TAXATION. previously taxed dollars previously taxed dollars = dollars not taxed dollars not taxed on the sell, withdrawal

Documents
Essentially Non-Oscillatory and Weighted Essentially … · NASA/CR-97-206253 ICASE Report No. 97-65 NIVERSARY Essentially Non-Oscillatory and Weighted Essentially Non-Oscillatory

Essentially Non-Oscillatory and Weighted Essentially … · NASA/CR-97-206253 ICASE Report No. 97-65 NIVERSARY Essentially Non-Oscillatory and Weighted Essentially Non-Oscillatory

Documents
Eliminating gender disparity

Eliminating gender disparity

Education
Pmope•ti · special concretes are accommodated in the original structural design by eliminating essentially all of the normal concrete cover when the base layer is placed, the dead

Pmope•ti · special concretes are accommodated in the original structural design by eliminating essentially all of the normal concrete cover when the base layer is placed, the dead

Documents
Eliminating redundant software

Eliminating redundant software

Technology
Eliminating Damage - Global Transport Updateglobaltransportupdate.com/wp-content/uploads/2015/11/Eliminating... · This case study was written for Olitek Pty Ltd. ... Eliminating

Eliminating Damage - Global Transport Updateglobaltransportupdate.com/wp-content/uploads/2015/11/Eliminating... · This case study was written for Olitek Pty Ltd. ... Eliminating

Documents
Eliminating Negative Thoughts

Eliminating Negative Thoughts

Documents
Balconies and Walkways Inspection Report · damage is proven to be a good investment of maintenance dollars. Eliminating the redundancy of repairs to the same area can be achieved

Balconies and Walkways Inspection Report · damage is proven to be a good investment of maintenance dollars. Eliminating the redundancy of repairs to the same area can be achieved

Documents
Eliminating malaria

Eliminating malaria

Documents