FOCUS LEADERSHIP IN HEALTHCARE IT Information Security Issues that Healthcare

Reviews

Shared by: The GZA

Tags

FOCUS LEADERSHIP IN HEALTHCARE IT Inform..., Health Services, improvement initiatives, Chief Medical Officer, cost management, Medical Director, Senior Medical, Job Search, Director Job, executive jobs

Stats

views:: 20
rating:: not rated
reviews:: 0
posted:: 2/5/2009
language:
pages:: 0

Public Domain

FOCUS: LEADERSHIP IN HEALTHCARE IT Information Security Issues that Healthcare Management Must Understand A B S T R A C T Securing information assets is less about technology and more about business policies and procedures that managers must be involved with. Information security must be managed from a business perspective, and executive involvement is absolutely essential to ensure successful information security initiatives. Kevin Beaver, CISSP rom junior hackers to disgruntled employees to cyberterrorists, the threats to healthcare information systems are real and cannot be taken lightly. In addition, poorly written software, the demand for convenience over security, along with overworked and under-trained healthcare IT professionals all present huge information systems vulnerabilities. All of these combined can introduce enormous risks to confidential patient information, intellectual property, and ultimately the survivability of healthcare organizations. Just when you think that these issues are more than enough to keep healthcare IT departments overloaded, along comes HIPAA (Health Insurance Portability and Accountability Act). Luckily, the HIPAA security rule is all F about information security best practices. There’s nothing magical or mysterious about it. The security rule is simply a set of technology, policy, and business process requirements that, when implemented and managed properly, can make drastic improvements to the well-being of healthcare information systems. This article explores key issues that healthcare management must understand about information security, as well as how to integrate those concepts with the business in order to provide the utmost in care, security, and regulatory compliance. According to the 2002 CSI/FBI Computer Crime and Security Survey, 90 percent of respondents (which includes medical institutions, government agencies, and U.S. corporations) had detected computer security breaches K E Y W O R D S Information security HIPAA security Managing information security Business aspects of information security 46 Journal of Healthcare Information Management — Vol. 17, No. 1 FOCUS: LEADERSHIP IN HEALTHCARE IT Insecure information systems can lead to tangible losses within the previous 12 months, and 80 percent and costs such as: acknowledged financial losses due to those breaches. • Lost business and revenue-generating opportunities due Obviously, protected health information (PHI) is at risk to information systems being down and unavailable here as well. • Lost or corrupted data along with associated recovery or Another interesting set of data comes from the 13th replacement costs, time, and resources after an incident Annual HIMSS Leadership Survey. This 2002 survey found occurs that confidence in the security of patient medical • Lost user productivity information is increasing and fewer people are concerned • Lost intellectual property about security breaches. With the proliferation of • Consulting and legal fees associated with investigating worldwide computer connectivity, the growing complexity and prosecuting the attackers of information systems, and the real-world information • Insurance premium increases security breaches that happen every day, the risks to • Legal and public relations fees associated with defending information are growing at an astronomical rate. This liability suits by failing to meet contract obligations or conflicts with the survey responses, and shows that, federal regulations such as HIPAA perhaps, respondents are fooling themselves by believing that their healthcare information is safe. However, the In addition to the tangible items, there are several majority of respondents to the Leadership Survey (53 intangible items that are more difficult to put a price on, percent) believe that when it comes to the security of but can have detrimental effects nonetheless: patient medical information, HIPAA security compliance is • Lost patient and business partner confidence and loyalty at the top of their list. This appears to be good news; it’s • Lost reputation just unfortunate that it has taken governmental intervention • Lost shareholder value for publicly owned entities to bring information security and the protection of • Loss of trust in upper management’s abilities to ensure confidential patient information to the forefront of the adequate protection is in place healthcare industry. • Career-threatening corporate officer liabilities A deeply rooted problem exists that is perhaps the basis of all of risks to healthcare information — even above and There is certainly a greater chance of beyond the stereotypical malicious hacker or virus. experiencing some of these losses more than The problem is that of upper management’s others. Whatever the losses may be, every lack of buy-in and understanding of healthcare organization must determine information security in general. Some he IT what they would do, how they would managers believe that their healthcare respond, and how they would information systems are not at risk, and department must be involved continue operations if the computer others believe that protecting systems that store their valuable healthcare information is waste of in the implementation and patient and business information time, money, and resources. Others were to crash, be hacked into, or even believe that information security management pieces of the are destroyed. is an impediment to providing adequate healthcare. information security puzzle, Going Beyond Technology Looking beyond PHI, think about Contrary to conventional practice, the decision support systems, research but it does not stop firewalls, data encryption, anti-virus databases, and even the healthcare there.” software, and other technologies are simply equipment systems that rely on data to be not enough to effectively secure computers kept confidential, free from tampering, and and information. In addition, most people think of available virtually 100 percent of the time. This information security as something that the IT department article explores ways to look beyond information security should be solely responsible for. Sure, the IT department issues that are typically IT focused. There are ways to go must be involved in the implementation and management beyond technology as a solution to information security, pieces of the information security puzzle, but it does not and to integrate policies and procedures with the stop there. Information security is not just a technology organization’s business in order to provide more issue, but a business issue as well. This means that the healthcare value. entire management team must be involved — including key decision makers from departments such as human What There Is to Lose resources, operations, and legal — not just the person in Perhaps a contributing factor to management’s lack of charge of IT. buy-in and understanding of information security is not This is not to say that the proper technology does not realizing what there is to lose when adequate information have to be in place in order to implement and enforce security systems are not in place. There’s always the risk of adequate security policies and procedures. Having the losing PHI, thus causing the organization to be in violation correct technology in place is definitely required. It’s just of HIPAA requirements, but it goes much further than that. “T Journal of Healthcare Information Management — Vol. 17, No. 1 47 FOCUS: LEADERSHIP IN HEALTHCARE IT organizational information security policies and know what not the silver bullet that many people, techies and types of malicious behavior to look out for, yet it can have managers alike, have come to believe in and rely on. There a huge payoff. are many non-technical issues that need to be considered End users should be reminded on an ongoing basis in such as ongoing information risk assessments, information order for this information to truly sink in. Simple lunchsecurity audits, and disaster recovery and business and-learns, screen saver reminders, and posters around continuity plans. There are, however, two key areas that work areas will go a long way in helping to keep stand out above the rest. These are information security information security on their minds. User awareness policies and user awareness training. (Due to space training is not only a HIPAA requirement; it’s a smart limitations, only these two will be highlighted. Please business investment. The key is to keep your awareness remember that an overall information security program efforts simple and in a non-technical format so that must include the other issues mentioned above as well.) everyone can relate. If you treat user awareness training as Information Security Policies. Studies show that only a long-term investment, it will do wonders to help promote about one third of organizations have information security information security within your organization. policies and procedures. These documents, which are required by HIPAA, are considered by many to be the Future Information Security Challenges backbone of a solid information security program. They As healthcare organizations become increasingly should be treated as living organisms that need nurturing dependent on information access, and move forward with and should not be stuffed away on a shelf to collect dust. HIPAA initiatives and compliance with other governmental Information security policies define the strategies for regulations, there will be many challenges in ensuring that safeguarding computers and information, and help protect information is kept secure. One of the most taxing is that the organization, patients, and business partners from of determining actual security requirements. Information information mishaps and ultimately legal liabilities. systems, especially those of larger healthcare Specifically, information security policies define: providers, are so complex that it’s very • Information security roles and common to have difficulty understanding responsibilities exactly what systems and information need • Information systems access he to be protected. On top of that are • Acceptable usage and standards for end governmental regulations, such as HIPAA, users to adhere to human factor can be the that mandate certain information security • Ongoing maintenance and monitoring processes. The key to handling this of information systems weakest link in an challenge, in simple form, is for all information security involved departments throughout the Information security policies can even organization to document what information help with HR and legal issues when it program.” is being processed and stored, and then comes time to terminate employees or help collaborate and prioritize which information to prove due diligence on HIPAA initiatives needs the most protection, and decide on the and other government regulations. If the time and most effective ways to go about protecting it. resources are not available to create and/or maintain Another closely related issue is being able to determine information security policies and procedures in-house, which best practices actually exist, along with which ones outsourcing can be a viable alternative. Most important, to adhere to. There are many evolving information security information security policies must be reasonable, easily best practices from well-known organizations such as the understood, and enforced. Keep in mind that voluntary National Institute of Standards (NIST) and the International cooperation from end users is not enough. There’s nothing Standards Organization (ISO). There are other organizations worse than policies that are created but not disseminated to such as SANS and the Center for Internet Security that offer end users, not maintained by the appropriate personnel, or helpful information as well. Eventually, there will most not enforced by upper management. If implemented and likely be a set of general best practices that everyone managed properly, however, information security policies agrees upon. In the meantime, it will just take a little more can provide the best bang for your information security effort to sort through the evolving standards and determine buck. which ones are the best fit for your organization. User Awareness Training. It has always been Other challenges to information security include: interesting to note how much money organizations will • Determining how to efficiently update poorly written spend on information security technologies, policies, and software to protect information systems from easily plans, and how little money they spend on end user exploited vulnerabilities and viruses awareness and training. In order for information security • A shortage of computer — specifically information initiatives to be effective, the end users must not be security — expertise forgotten. In fact, the human factor can be the weakest link • Increased skill sets of malicious users in an information security program. It only takes a relatively • Increasing end user expectations for system usability and small amount of effort to ensure your end users understand availability “T 48 Journal of Healthcare Information Management — Vol. 17, No. 1 FOCUS: LEADERSHIP IN HEALTHCARE IT an organization must take part in this process in order for the information security function to be successful. Management must be closely involved in understanding what they’re up against, what information assets need to be protected, and what needs to be done to secure those There is no one solution to help successfully navigate information assets now and on an ongoing basis. In order to these challenges. It will just take time and savvy do this properly, information must be treated like any other management for these issues to be sorted out properly. business function such as finance or operations. There must Moving forward, the most important aspects of managing be a budget established and a cross-sectional team of information security effectively will be to understand the trusted individuals or outside consultants assigned to this consequences and liabilities involved and to establish a function. Information security is a vital part of a healthcare culture of information security awareness that is pervasive organization’s operation and should be treated as such throughout the organization. through effective leadership that gets involved and considers it a function that affects the organization’s bottom line. Managing Information Security from a Business It’s important to keep in mind that not everyone Perspective can be trusted with the organization’s Information security is better than the information systems, whether they are alternative. Securing an organization’s internal or external to the organization. information assets is ultimately an What healthcare management does upper management responsibility. nformation not understand about information They are the ones who approve the security is a vital part of a security can hurt them. Being budgets and sign the checks. unprepared for an information Upper management can promote healthcare organization’s operation systems breach or disaster can information security buy-in, mean severe business empower employees, and and should be treated as such through interruption or even failure, not ultimately enforce the necessary to mention trouble with the policies. The issues involved effective leadership that gets government. In the long run, with information security are the costs of securing healthcare complex, and expertise is hard to involved and considers it a function information systems are much find. Information security is a that affects the organization’s less than the costs of restoring process and a philosophy that has customer confidence or being proven itself to be more of a bottom line.” forced out of business completely. business issue than a technology Upper management involvement is the issue, which must be managed from the key to success. top down from a business perspective. Healthcare managers must understand the About the Author business impact of information risks and the Kevin Beaver is president of Principle Logic, LLC, an implications involved if systems are not secured. In information security consulting firm, and a Certified addition, to protect themselves from legal liabilities, Information Systems Security Professional with over 14 years healthcare organizations need to show proper due of information security experience. Mr. Beaver is also the diligence in attempting to implement best practices for editor and co-author of the book, Healthcare Information information security. Systems, published by Auerbach Publications. Anyone who is responsible for the ongoing operations of • Lack of organizations reporting information security breaches, thus keeping potentially new threats and vulnerabilities in the dark “I Journal of Healthcare Information Management — Vol. 17, No. 1 49