- Healthcare infrastructure security framework are growing in importance as organizations trust PHI to digital tools.
As more information is stored digitally, cyberattacks are more common and are evolving as technology solutions become more advanced. This makes it increasingly difficult for organizations to depend on legacy security and recovery solutions to protect patient data, according to, CHIME’s Healthcare’s Most Wired: National Trends 2018 report.
“To defend themselves from these growing threats, healthcare organizations have purchased technology to safeguard their systems, hired security consultants to provide advisory and technical services, and created internal programs to instill best practices,” said the report.
While efforts are being made, organizations still struggle to develop and implement a security solution that encompasses their entire IT infrastructure. In order to remedy this lack of security structure, many organizations are looking to security frameworks to develop a strategy.
“When it comes to adopting a security framework, organizations are shifting from self-developed security information frameworks to NIST and HITRUST,” said the report. “Other core components of a comprehensive security program include dedicating a senior security leader, having an adequate security budget, establishing governance and oversight committees, and meeting regularly to report gaps in security and progress toward closing them.”
The report suggests that healthcare organizations appoint a chief information security officer (CISO) who is responsible for reporting security incidents and updates to a committee to help mitigate cybersecurity vulnerabilities. While appointing a CISO to help establish a security protocol, only 29 percent of healthcare organizations have a comprehensive security solution in place.
A HIMSS survey conducted last year found that organizations with a CISO also tend to adopt holistic cybersecurity practices. Eighty-six percent use at least one security framework, with the most common being NIST, ISO or HITRUST.
“Security frameworks help organizations build a comprehensive security program with guidance on how to identify and prioritize actions for reducing cybersecurity risk,” said the report. “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”
Organizations with a CISO, or the equivalent security staff member, are much more likely to conduct a cybersecurity assessment than the organizations without that position. Assessments are important because they allow organizations to see if a security solution is compatible with the rest of the IT infrastructure and will do the job it needs to do.
“Hardware, software, mobile devices, medical devices, and other components may have severe vulnerabilities and, thus, could expose the organization to significant risk (if such vulnerabilities were successfully exploited),” the report explained. “Moreover, default configurations or misconfigurations of a product or service may also potentially expose an organization to significant risks.”
The holistic cybersecurity approach with the leadership of a CISO also included business continuity with backup and disaster recovery, medical device security for patient safety, and penetration testing.
Many of the organizations that do not have a comprehensive security program are also not meeting with their executive committee on a regular basis, according to the CHIME report. This lack of executive communication can result in organization being unable to standardize security procedures and protocols. Lack of standardization can lead to blind spots and decreased network visibility.
”The maturity of an organization’s security program often impacts the breadth and depth of the organization’s security capabilities and protocols,” the report explained. “Healthcare organizations with a comprehensive security program are more likely to support critical security measures, such as data-loss prevention (12 percent higher adoption), bring-your-own-device management (13 percent higher adoption), database monitoring (13 percent higher adoption), provisioning systems (14 percent higher adoption), log management (16 percent higher adoption), and adaptive risk-based authentication for network access (16 percent higher adoption).”
Security frameworks allow organizations to share best practices and knowledge with other organizations leading to overall industry progress on defending against cybersecurity threats.