Written by Kurt Hagerman, CISO, Armor
With the inherent complexities of the healthcare environment, as well as corresponding compliance requirements, organizations are seeking strategies to streamline efforts without compromising data security. Although strides have been made, healthcare is still in catch-up mode with other industries in terms of cybersecurity. Ground can be gained, however, by applying familiar clinical risk management principles to data protection that can be ready-made to achieve HIPAA compliance. Since healthcare has always been astute at identifying and managing risk in the clinical setting, aligning this thinking with a security posture will help provide a similar level of protection to sensitive data.
With a trove of financial and personal information coveted by criminals, healthcare organizations must not only comply with regulations but also allocate resources to cybersecurity that will make the process consistent and repeatable. Introducing tools such as HITRUST CSF Version 8 goes a long way in supporting cybersecurity, along with AICPA SOC2 reporting, contextual data de-identification, cloud services, and meeting expanded requirement details.
By rethinking cybersecurity and applying proven risk management techniques, organizations are better suited to face the challenges cybercriminals present. Healthcare organizations have a keen awareness of keeping patients safe in the physical environment, but from a digital perspective, many forces have aligned to make this a more challenging task.
Because of the prolific and diverse nature of threats and vulnerabilities due to the dramatic increase in the number of connected devices, healthcare organizations are spending enormous amounts of money to stop cyberattacks and achieve compliance. In addition, legacy infrastructure and devices were not designed with security in mind.
This is particularly concerning as healthcare data has far greater long-term value that does not diminish over time, as opposed to credit card or other financial information. Healthcare data is not as frequently reviewed by users, and as a result, can be compromised and exploited for a far greater duration of time before measures are taken to stop its abuse.
Compliance standards must be complemented by a commitment to sound risk management to identify, respond to and ultimately protect against threats. The combination of regulatory compliance and traditional risk management in terms of cybersecurity can help proactively prepare for cyberattacks and mitigate threats against sensitive information to protect the organization and reduce liability.
In short, applying traditional clinical risk management principles to the cybersecurity environment can bring a new perspective to proactively anticipating and mitigating threats.
The time is now for healthcare providers to change their cybersecurity approach and transition from a reactionary mitigation response to a proactive position that prioritizes challenges. Organizations will then be able to work more effectively to not only ensure compliance but also place the protection of patients and the institution first and foremost.
Kurt Hagerman serves as CISO for Armor and is responsible for the governance, risk and compliance aspect of the security mission for both corporate and customer-facing products. To learn more, visit www.armor.com.
You may be interested
“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management CollaborationLacy Deatrich - Sep 11, 2019
By Jeremy Huval, Vice President, Compliance & Internal Audit Completing HITRUST CSF Assessments will now require less time and fewer…
HITRUST® Submits Application to be an Accountability Agent for APEC CertificationLacy Deatrich - Aug 14, 2019
By Anne Kimbol, Chief Privacy Officer, HITRUST HITRUST has submitted its application to be recognized as an Accountability Agent under…
HITRUST Shared Responsibility Program Helps Organizations and Cloud Service Providers Collaborate to Protect Data in the CloudLacy Deatrich - Jul 08, 2019
By Becky Swain, Director, Standards Development Your cloud provider is certified to comply with all the major regulations for protecting…