Technology is an
important piece of the puzzle in healthcare organizations, but proper funding,
people, management buy-in and process are equally important pieces. Unfortunately, funding can be a significant
challenge for many organizations. The
third annual Benchmark Study on Patient Privacy & Security by the Ponemon
Institute, which was released in December 2012, showed that only 27% of those
surveyed reported sufficient resources, while 34% felt they had a sufficient
security budget.
In order for
healthcare organizations to properly organize their security priorities, buy-in
from the most senior executives must be obtained. This can be accomplished by conducting
quarterly meetings with the C-suite to review changes, breaches and the
short/long term goals of the security team.
Arming executives with this information will raise awareness and help to
garner their support. Vendors can also
be of assistance by providing the current state of the industry, thus offering
executives the opportunity to understand where their organization ranks among
current security trends.
Staffing is also
extremely important, as an overworked department will lessen the likelihood of
a breach being discovered early on.
Given the sophistication of most hackers and internal threats, it’s
suggested that healthcare organizations should have employees who’s main duty
it to identify threats. Moreover, the security
administrator’s and all IT personnel should possess the skills to identify
malicious behavior in addition to understanding how to deal with such
incidents. If internal employees are not
skilled enough, outsourcing might need to consider outsourcing.
Utilizing these
best practices with good business processes, and including other departments
such as human resources or the legal department will result in an organization
prepared to protect and prevent data loss.
This approach will definitely help to reduce or eliminate the impact
felt by all organizations that will inevitable experience a breach.
I could not
agree more with this article. As the
author stated “Healthcare decision makers often do
not understand the value of investing in IT security, and no one will ever
thank a security administrator for not getting breached.” Engaging
executives and any other key stakeholders in an awareness campaign will
certainly result in positive outcomes. Important
decisions cannot be made if leaders are not aware that they need to be
made. Moreover, lack of funding and staffing
will inevitably result if leadership is not engaged. Therefore, the key take away from this
article is “Awareness!”
Article
Referenced:
No comments:
Post a Comment