Is it more difficult to security healthcare IT systems compared to other infrastructures?
I’ve worked in several industries and by far healthcare is the most difficult industry I’ve had to work in to date. Not all frameworks and regulations are created equal. In the case of healthcare, HIPAA and HITECH requirements require strong controls, clear lines of command and a lot of mandatory tracking and documentation.
In addition, as a healthcare security manager you must constantly remind yourself, and the people you work with, that you are not just protecting bits and bytes but that you have been given the responsibility to be the custodian of many people’s most sensitive and personal information. Exposures of this data are not only subject to heavy fines; persons’ reputations, potentially their ability to secure a job and even their family lives may be in jeopardy.
What healthcare-related compliance challenges do you face as the CSO of the Medicaid Information Service Center of New York?
Information services within the state of New York not only have federally mandated security requirements; the NYS Office of Cyber Security also has stringent policies on the access and use of protected health information (PHI) and personally identifiable information (PII).
It is sometimes quite challenging to determine who has precedence over a particular piece of information and reporting requirements can contain many branches to different organizations depending on the type of potential violation or data involved in an incident. In addition, access requirements must be constantly reevaluated and tracking mandated attestations for access are very time consuming.
Based on your experience, what areas should healthcare CSOs focus on?
Controls should always be a primary focus. First from a compliance perspective, “Have we put in place the necessary controls to maintain compliance?” Secondarily as a risk to the organization, “Is this control effective in reducing or eliminating a security risk to the organization as a whole?”
As a rule of thumb, if a control is left alone it will slowly deteriorate over time increasing risk to the organization. And if not monitored and adjustments made, eventually a control will become ineffective.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.