BOSTON — Chief information security officer of Health and Human Services Christopher Wlaschin said to strengthen their security posture there are three steps that hospitals should be taking today: join forces, treat your patching report like your profit-and-loss report and, at the very least, consider multifactor authentication.
If you have the capability, then jump into the NH-ISAC,” here at the Healthcare Security Forum on Tuesday, Wlaschin said. “They can help. It’s not just compliance, it’s also about preparedness and resilience.”
Many speakers including Tom Ridge, former Homeland Security Secretary and Michael Daniel, President Obama’s cybersecurity coordinator also recommended that InfoSec professionals participate in the NH-ISAC, which stands for the National Healthcare Information Sharing and Analysis Center.
Phil Alexander, UMC Health System information security officer added that it’s not just the ISAC. Other options also include the NIST and HITRUST frameworks, FBI and other listservs, Infragard.
Wlaschin’s second recommendation is to treat the patching report like a P&L — because it’s really significant to a hospital’s bottom line.
Whereas collective key performance indicators, healthcare CEOs, consider are bed count, revenue, and compensation from CMS, to name just three, Wlaschin said the patching report should be among those KPIs.
Wlaschin advised deploying multi-factor authentication at a bare minimum, if you cannot do either of those.
It’s not a secret that several hospitals still struggle with budget limitations that obstruct them for joining an ISAC or even implementing multi-factor authentication technologies.
Bryan Fiekers, Senior Director of Research Services HIMSS Analytics said that according to the latest Healthcare IT and Risk Management Study, participating hospitals assign 6 or less percent of their IT budget to InfoSec. And despite that’s the fact that more half of IT shops own risk management within the hospitals.
HIMSS Analytics found the main drivers of security investments to be risk valuations and HIPAA audits by HHS Office for Civil Rights Fiekers added.
Fiekers further expressed “Those two are the cornerstones for IT security investments and that’s true across all the categories of people we interviewed, the business, clinical and IT, Everyone’s in compliance on compliance.”
HIPAA compliance is of course an obligatory baseline for securing patient’s data. Wlasich’s three tactics to employ right now build on that.
Wlaschin further said “Only together will we make the healthcare sector more robust, the tide raises all boats. Together we’ll address the problem, take care of the people who don’t have the resources, make ourselves less susceptible to attack and more able to provide the patient care we are capable of giving.”
