‘Introducing the concept of system-wide governance will minimise security and compliance risk and generate more business value’
What are the key issues that should be driving hospital cyber security right now?
Three things come to mind. First, healthcare organisations face the reality of the growing risk associated with managing more data, having more systems, and more people touching that data. The threats are more persistent, more frequent and more sophisticated. Healthcare is not unique in that respect but it does tend to pay the most for a security failure. The cost per lost record has been estimated at $300 – the highest of any industry. Second, the persistence of healthcare fraud creates a rising demand for stolen, over-billed or falsified documents, particularly in the US. The falsification of procedures poses a huge threat. Finally there is third-party risk. Healthcare has a lot of partners that participate in patient care – laboratories, equipment manufacturers, rental facilities, instruments, manufacturers of ID cards…The challenge is casting the security net broader and ensuring that third-party partners abide by appropriate security principles.
What did the healthcare sector learn from WannaCry?
It certainly made organisations realise the incredible risk ransomware poses to data, and I see a lot more awareness and preparedness. They are investing in applications and solutions for predicting attacks, in much the same way that they prepare for Disaster Recovery. Ransomware is not different in that respect. But there are other core challenges. A culture shift is still necessary. Most of these threats get in because an employee checks something they shouldn’t [in an email, for example] or bring an unauthorised device to the network. WannaCry and the advent of GDPR have been catalysts for better staff training to understand the value of data and getting the workforce to be more security aware.
What more can hospital CIOs and leaders with responsibility for cyber security issues do to safeguard patient data?
Introduce the concept of system-wide information governance, which will minimise security and compliance risk and generate more business value. To eliminate risk completely, you have to eliminate information. Many healthcare organisations cling to keeping everything, ‘just in case’. The data owner isn’t necessarily the CIO, so it’s the business leaders within the organisation who need the guidelines.
It requires a cross-organisation committee, a lot of up-front work focusing on data classification, security value, protection, data lifecycle plans and third-party touchpoints. Many healthcare organisations just don’t know what information is coming and going. As you look across the silos, you’ll discover overlapping, and the opportunities for consolidation and integration.
Is cyber security a useful driver for greater integration?
Every piece of data is an opportunity for something malicious to happen, whether it is fraud or theft. The more you can eliminate data handling through the integration and automation of security processes, the more effective these initiatives can be. The CIO can kick them off, but they need to sponsor them fully and become champions for better information governance throughout the hospital.
What are the benefits of improved information governance?
It actually helps hospitals to make better use of data. An information governance programme reveals opportunities for improvement – particularly around processes that have evolved organically and are rooted in manual or long-gone legacy systems. Re-evaluating processes against current business imperatives allows you to find the best way to do things using modern information tools, and improve the information flow. This can be a driver for automating time-consuming processes so that the hospital can focus on patient care.
Retention management is another benefit. Retention occasions unnecessary risk. If you have less data to manage, your use of it can become more focused and effective. Healthcare providers should look at what they need to hang on to, for how long, and then destroy it. GDPR is a great behind-the-scenes catalyst for this, fuelling the concept of purpose-driven data retention.