There’s progress being made in the healthcare industry as it relates to information security.
Yes, recent studies indicate that 90 percent of all healthcare organizations have been the victim of a data breach in the last two years. And it is true that the average cost-per-record in a healthcare breach is roughly 80 percent higher than the U.S. average, a significant hit to organizations that already struggle with limited resources. However, the industry is waking up and beginning to realize the importance of information security – perhaps at the cost of experiencing a breach.
Larry Whiteside, vice president of healthcare and critical infrastructure at Optiv, travels across the country meeting with security and risk departments at healthcare organizations, advising them on their security strategy. With a close ear to the ground as it relates to the industry and its evolution from a technological standpoint, he says IT security is now becoming a high-level conversation inside healthcare organizations.
“Today it is better than it was yesterday and is moving in a direction of being better tomorrow,” Whiteside said in a recent interview with InfoSec Insider.
The state of the health sector today has quickly garnered national attention as ransomware attacks have crippled hospitals across the country, with attackers demanding up to millions of dollars in some cases.
Hospitals are a big target for online miscreants looking to access troves of sensitive data for eventual monetary gain. A majority of these organizations can’t pay the high salaries of seasoned and talented information security professionals. Making matters worse, their environments are “relatively flat networks” put in place to “allow interoperability across systems and platforms” says Whiteside, making an attack have a much greater impact. Add all of these factors together and it’s a recipe for disaster.
To keep smaller organizations informed of emerging risks, the Department of Health and Human Services recently announced that it would issue $1.75 million in grants to an organization that will take the lead role in cyber threat information sharing.
Although attackers won’t let up, it seems that the health sector is on red alert and taking steps in the right direction. But for security managers at these organizations, it’s a seemingly uphill battle that won’t get easier anytime soon.
For healthcare security managers to measurably reduce cyber risk in their organizations, Whiteside offered up three quick pieces of advice he commonly shares with practitioners in the industry.
1. Build a strategy that aligns with the business
This could be the most challenging obstacle for a security manager in healthcare, but it’s also the most important. It’s not about building a blueprint that highlights what you’ll be implementing, it’s all about how it aligns with the business, Whiteside says. “A proper strategy is one that aligns with where your organization is headed as a whole and ensures security is in a position to enable the organization’s goals over a period of time.”
2. Over communicate
The worst thing you can do as a security practitioner – not just in healthcare – is to keep information siloed within the security and risk department. Instead of going that route, you should create a communication plan that allows you to share the department’s progress, the steps that are being taken, and the eventual wins that will take place. It’s important to “make their organization aware of what they are doing, and how they are doing it,” Whiteside says.
3. Establish relationships at the executive level
We’ve all heard how IT security practitioners need to “speak the language of the business” far too much. It’s really not a matter of semantics, it’s more about networking and creating relationships within the business that not only help break down any communication barriers, but can ultimately help the cause as it relates to the security and risk department. “These relationships can go a long way in getting the support one would need to accomplish the long-term goals and strategy,” Whiteside says. “By getting leaders inside the business to understand that you both have the same goals, it will help information security be more successful.”