‘Introducing the concept of system-wide governance will minimise security and compliance risk and generate more business value’

The impact of WannaCry and the advent of GDPR have driven hospitals and healthcare providers to step up their quest for the most effective cyber security strategies. In addition, says Dennis Chepurnov, CISSP, marketing principal at information management specialist Hyland, they can seize the opportunity to make security a catalyst for more effective and efficient information governance.

What are the key issues that should be driving hospital cyber security right now?

Three things come to mind. First, healthcare organisations face the reality of the growing risk associated with managing more data, having more systems, and more people touching that data. The threats are more persistent, more frequent and more sophisticated. Healthcare is not unique in that respect but it does tend to pay the most for a security failure. The cost per lost record has been estimated at $300 – the highest of any industry. Second, the persistence of healthcare fraud creates a rising demand for stolen, over-billed or falsified documents, particularly in the US. The falsification of procedures poses a huge threat. Finally there is third-party risk. Healthcare has a lot of partners that participate in patient care – laboratories, equipment manufacturers, rental facilities, instruments, manufacturers of ID cards…The challenge is casting the security net broader and ensuring that third-party partners abide by appropriate security principles.

What did the healthcare sector learn from WannaCry?

It certainly made organisations realise the incredible risk ransomware poses to data, and I see a lot more awareness and preparedness. They are investing in applications and solutions for predicting attacks, in much the same way that they prepare for Disaster Recovery. Ransomware is not different in that respect. But there are other core challenges. A culture shift is still necessary. Most of these threats get in because an employee checks something they shouldn’t [in an email, for example] or bring an unauthorised device to the network. WannaCry and the advent of GDPR have been catalysts for better staff training to understand the value of data and getting the workforce to be more security aware.

What more can hospital CIOs and leaders with responsibility for cyber security issues do to safeguard patient data?

Introduce the concept of system-wide information governance, which will minimise security and compliance risk and generate more business value. To eliminate risk completely, you have to eliminate information. Many healthcare organisations cling to keeping everything, ‘just in case’. The data owner isn’t necessarily the CIO, so it’s the business leaders within the organisation who need the guidelines.
It requires a cross-organisation committee, a lot of up-front work focusing on data classification, security value, protection, data lifecycle plans and third-party touchpoints. Many healthcare organisations just don’t know what information is coming and going. As you look across the silos, you’ll discover overlapping, and the opportunities for consolidation and integration.

Is cyber security a useful driver for greater integration?

Every piece of data is an opportunity for something malicious to happen, whether it is fraud or theft. The more you can eliminate data handling through the integration and automation of security processes, the more effective these initiatives can be. The CIO can kick them off, but they need to sponsor them fully and become champions for better information governance throughout the hospital.

What are the benefits of improved information governance?

It actually helps hospitals to make better use of data. An information governance programme reveals opportunities for improvement – particularly around processes that have evolved organically and are rooted in manual or long-gone legacy systems. Re-evaluating processes against current business imperatives allows you to find the best way to do things using modern information tools, and improve the information flow. This can be a driver for automating time-consuming processes so that the hospital can focus on patient care.

Retention management is another benefit. Retention occasions unnecessary risk. If you have less data to manage, your use of it can become more focused and effective. Healthcare providers should look at what they need to hang on to, for how long, and then destroy it. GDPR is a great behind-the-scenes catalyst for this, fuelling the concept of purpose-driven data retention.



Hyland Healthcare delivers a suite of unparalleled content and image management solutions to address the clinical, financial and operational needs of healthcare organizations. Globally, more than 2,000 healthcare organizations rely on  Hyland’s world-class solutions and experience to connect diverse content to patient records, eliminate reimbursement delays and enhance business processes.

28500 Clemens Road
Westlake, OH 44145
United States

Related News

Leading digital transformation and big data in medicine

Learn about leading digital transformation and big data in medicine at HIMSS Impact18, 17-18 October 2018 in Potsdam/Berlin

PCHAlliance releases latest version of the Continua Design Guidelines

New guidelines to enable integration of patient-generated data into EHRs

‘We need to co-operate on security – the time is now!’

Interview with Robert Zemke, Director of Healthcare Solutions at Extreme Networks