By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    What Are the Benefits of CBD?
    November 27, 2021
    How to Measure Adult Diapers- The Ultimate Guide to Picking the Right Size
    March 8, 2022
    medicine cabinet
    The Effect Of Finished Dosage Form Manufacturing In New Drugs
    July 5, 2022
    Latest News
    Emotional Peace: The Psychological Benefits Of Funeral Preplanning
    October 2, 2023
    Health Benefits of Taking a Vacation to Reduce Your Stress
    October 2, 2023
    First Aid Training Enhancing Workplace Health and Safety
    September 25, 2023
    Beyond the Clinic: Medical Surveys Are a Roadmap to Passive Income for Doctors
    September 23, 2023
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    research
    Laying the Foundation for Artificial Intelligence in Healthcare
    July 27, 2017
    The Global Eye Tracking System Market Is Expected To Skyrocket In The US
    September 28, 2020
    Feds to Regulate Rocket Fuel Levels in Tap Water
    August 26, 2017
    Latest News
    Job Seekers with Disabilities Should at Health Insurance Benefits
    September 12, 2023
    Reasons That Drug Prices Are Rising to Unsustainable Levels
    September 12, 2023
    How Revenue Lifecycle Management Helps Healthcare Providers to Optimize Business Operations
    September 6, 2023
    The Hidden Benefits of Practice Exams for Medical Professionals
    September 6, 2023
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Accountability for Risk Management and Cybersecurity in Healthcare Institutions
Share
Sign In
Notification Show More
Aa
Health Works CollectiveHealth Works Collective
Aa
Search
Have an existing account? Sign In
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Medical Records > Accountability for Risk Management and Cybersecurity in Healthcare Institutions
BusinesseHealthMedical RecordsPolicy & LawTechnology

Accountability for Risk Management and Cybersecurity in Healthcare Institutions

ShahidShah
Last updated: 2015/01/28 at 9:00 AM
ShahidShah
Share
12 Min Read
risk management
SHARE

risk managementI’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves.

risk managementI’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves. We’re slowly and steadily moving from “HIPAA Compliance” silliness into a more mature and disciplined professional focus on risk management, continuous risk monitoring, and actual security tasks concentrating on real technical vulnerabilities and proper training of users (instead of just “security theater”).

I believe that security, like quality, is an emergent property of the system and its interaction with users and not something you can buy and bolt on. I’m both excited and pleased to see a number of healthcare focused cybersecurity experts, like Kamal Govindaswamy from RisknCompliance Consulting Group, preaching similar proactive and holistic guidance around compliance and security. I asked Kamal a simple question – if cybersecurity is an emergent property of a system, who should be held responsible/accountable for it? Here’s what Kamal said, and it’s sage advice worth following:

Information Security in general has historically been seen as something that the organization’s CISO (or equivalent) is responsible for. In reality, the Information Security department often doesn’t have the resources or the ability (regardless of resources) to be the owners or be ultimately “accountable” or “responsible” for information security. In almost all cases, the CISO can and must be the advisor to business and technology leaders or management in the organization. He could also operate/manage/oversee certain behind-the-scenes security specific technologies.

More Read

healthcare providers

How Revenue Lifecycle Management Helps Healthcare Providers to Optimize Business Operations

The Hidden Benefits of Practice Exams for Medical Professionals
3 Beneficial Ways Technology Impacting Your Wellness and Health
Benefits of Outsourcing Healthcare Software Development Services
5 Tech Apps and Gadgets to Maintain Your Health Connectivity

If your CISO doesn’t “own” Information Security in your organization, who should?

At the end of the day, everyone has a role to play in Information Security. However, I think the HealthIT managers and leaders in particular are critical to making security programs effective in healthcare organizations today.

Let me explain…

Of all the problems we have with security these days,  I think the biggest stumbling block often has to do with not having an accurate inventory of the data we need to protect and defining ownership and accountability for protection. This problem is certainly not unique to Healthcare. No amount of technology investments or sophistication can solve this problem as it is a people and process problem more than anything else.

Healthcare is unfortunately in a unenviable position in this regard. Before the Meaningful Use program that has led to rapid adoption of EHRs over the last five years, many healthcare organizations didn’t necessarily have standard methods or technologies for collecting, processing or storing data. As a result, you will often see PHI or other sensitive information in all kinds of places that no one knows about any longer, let alone “own” them –  Network file shares,  emails, a legacy application or database that is no longer used  etc. The fact that HealthIT in general has been overstretched over the last five years with implementation of EHRs or other programs hasn’t helped matters either.

In my opinion and experience, the average Healthcare organization is nowhere close to solving the crux of the problem with security programs – which is to ensure ownership, accountability and real effectiveness or efficiencies.

Most of us in the security profession have long talked about the critical need for the “business” to take ownership among business and technology leaders. For the most part however, I think this remains a elusive goal for many organizations. This is a serious problem because we can’t hope to have effective security programs or efficiencies without ownership and accountability.

So, how do we solve this problem in Healthcare? I think the answer lies in HealthIT leadership taking point on both ownership and accountability.

HealthIT personnel plan, design and build systems that collect/migrate/process/store data, interact with clinical or business leadership and stakeholders to formulate strategies, gather requirements, set expectations and are ultimately responsible for delivering them. Who better than HealthIT leaders and managers to be the owners and be accountable for safeguarding the data? Right?

So, let’s stop saying that we need “the business” to take ownership. Instead, I think it makes much more pragmatic sense to focus on assigning ownership and accountability on the HealthIT leadership.

I present below a few sample mechanics of how we could do this:

  1. Independence of the CISO. For a start, Healthcare CIOs or leaders should insist on independence for the CISO (or equivalent) in their organizations. Even if the CISO or security director or manager happens to be reporting to the CIO (as it still happens in many organizations), I think it is absolutely critical that you reorganize to make the role one of an advisor and support role and not an IT function itself. The CISO and his may also have their own operational responsibilities, such as management of certain security technologies or operations,  performing risk assessments, monitoring risk mitigation or remediation programs,  assisting with regulatory compliance and so on. Regardless, they must be an independent function with a strong backing or support from the CIO.
  1. IT (Data) Asset Discovery, Classification and Management. To start with, all IT assets (hardware and software) that collect, receive,  process,  store or transmit data (CRPST) need to be identified,  regardless of whether these assets are owned/leased/subscribed or where they are hosted. Every physical or virtual asset (network device, server, storage, application, database etc.) must have one assigned owner at a manager/director/VP level who is ultimately accountable for security of the information CRPSTed by the asset. As the owner may choose or need to delegate responsibilities (see #3 below)  the asset meta-data should also include information regarding personnel that have delegated responsibilities. If you are a smaller organization,  you may have one person being the owner that is “accountable” as well as “responsible” .
  1. Directives to HealthIT executives and managers. It is important that Healthcare CIOs send a clear message of sponsorship and accountability to their executives and managers regarding their “ownership” related to security.  The asset owners (see #2 above) may in turn delegate “responsibilities” to other personnel (not below a manager) in her department. For example, the VP or Director of IT Infrastructure may delegate responsibilities to Manager of Servers and Manager of networks. Similarly, the VP/Director of Applications may delegate responsibilities to the Database Manager and Manager of Applications and so on. Regardless of the delegation, the VP or Director retains the “ownership” and “accountability” for security of information CRPSTed by the asset.
  1. Bolted-in Security. The HealthIT strategy and architecture teams need to work in close collaboration with the CISO’s team. It is critical that security is an important planning and design consideration and not something of an afterthought. It is much more cost effective to plan, design and implement secure systems from the start (hence bolted-in) than trying to look for a patch-work of controls after the systems are already in place.
  1. Need for HealthIT managers with “responsibilities” to be proactive. Let me explain this with a few examples of the Server Manager’s role in #3 above.
    • The Server Manager must at all times know the highest classification of the data stored on his servers so he is sure he has appropriate controls for safeguarding the data as required by the organization’s Information Security Policy and standards. If a file server is not “authorized” to contain PHI or PII on its shares, he should perhaps reach out to the CISO with a request for periodic scans of his servers to detect any “sensitive” data that users may have put on their file shares, for example.
  2. If a file server is authorized to store PHI for use by the billing department for example, the Server manager must work with the billing department manager to have her periodically review the access that people have to the billing file shares. If your organization’s Identity and Access Management (IAM)  solution or program has capabilities for automating these periodic access reviews,  the Server Manager must work with the CISO (or whoever runs the IAM program)  to operationalize these access reviews as part of your Business-As-Usual (BAU)  activities. The key point here is that it is the Server Manager’s responsibility (and not the Billing Manager or the CISO’s) to ensure that the Billing Manager performs the access reviews in compliance with the organization’s policies or standards for access reviews of PHI repositories.
  3. The Server Manager must all times be aware of who all have administrative access to these servers, so he must look for ways to get alerts for every change that happens to the privileged or administrator access to the servers. If your organization has a Log Management or a Security Information Event Management(SIEM)  solution,  the Server Manager should reach out to the CISO or his designate so the SIEM solution can collects those events from your servers and send email alerts for any specific administrator or similar privilege changes to the Server Manager. While we are on SIEM, the Server Manager should also work with the CISO and the Billing Manager so the Billing Manager gets an email alert every time there is a change to the access privileges on the file shares containing PHI or PII used by the billing department.
  4. If one of the servers happens to be a database server, the Server Manager may be responsible for the operating system level safeguards while the Database Manager may have the responsibility for the database “asset”.  She will in turn need to work with the CISO and the relevant business managers for automation of access reviews, monitoring of potential high risk privilege changes in the database etc.

I hope these examples from Kamal illustrate how HealthIT can have an effective ownership and accountability for security.

Drop us some comments if you agree but especially if you don’t.

cybersecurity / shutterstock

TAGGED: cybersecurity

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
ShahidShah January 28, 2015 January 28, 2015
Share This Article
Facebook Twitter Copy Link Print
Share
Previous Article Five Ways to Rock Healthcare Marketing in 2015
Next Article Why Physicians Are Afraid of Social Media and Why They Shouldn’t Be

Stay Connected

1.5k Followers Like
4.5k Followers Follow
2.8k Followers Pin
136k Subscribers Subscribe

Latest News

drug-free lifestyle
Healthy Routines Post-Rehab: Building A Drug-Free Lifestyle
Addiction Addiction Recovery October 2, 2023
emotional peace regarding funeral
Emotional Peace: The Psychological Benefits Of Funeral Preplanning
Wellness October 2, 2023
Andropause hormonal decline
The Benefits of TRT for Andropause and Hormonal Decline
Wellness September 28, 2023
cancer-prevention
The Importance of Lipoma Examination in Cancer Prevention
Cancer September 28, 2023

You Might also Like

quality of life
Technology

Elevating Quality of Life: An In-depth Examination of Stairlift Technological Advancements

September 17, 2023
menopause and depression
Mental Health

How Menopause and Depression are Connected

September 13, 2023
health insurance disability
Policy & Law

Job Seekers with Disabilities Should at Health Insurance Benefits

September 12, 2023
medical billing training
Medicare

Navigating Through the Essentials: Medical Billing Training for Beginners

September 12, 2023
Subscribe

Subscribe to our newsletter to get our newest articles instantly!

Follow US
© 2008-2023 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Lost your password?