According to the latest Identity Theft Resource Center (ITRC) report, more than 120 million patient records were compromised in 2015 due to healthcare incidents alone.
Critics are quick to attribute these breaches to granular issues such as legacy infrastructure or poor identity access management. However, bigger picture problems include under investment in critical systems, conflation of compliance and security concerns, and an over reliance on internal expertise, that have left many firms without the means to accurately assess and defend against cyber attacks.
There are a number of drivers behind healthcare entities' poor security hygiene. Obstacles from organizational culture to resource allocation make it difficult for firms to embed cyber security throughout their operations. Before healthcare organizations can make meaningful strides toward better cyber security practices, they must address the underlying causes that leave them vulnerable in the first place.
Compared to other industries, healthcare organizations don't adequately invest in security leadership, nor do they have a vast talent pool from which to pull. An ISACA study from early 2015 found that 86% of organizations feel there's a global shortage of skilled cyber security professionals. As a result, many healthcare organizations are living without chief information security officers (CISOs), or they are promoting IT directors and adding security to their purview.
Without CISO representation, organizations lack a board presence to address cyber security related issues, or advocate for solving them. Providers are not expected to become cyber security gurus in their own right, but failing to appoint IT security leaders makes it too easy to ignore security concerns until a crisis strikes. Tacking security on to existing directors' responsibilities isn't a sound fix either; instead, it can lead to more mismanagement and internal vulnerabilities.
Security should be handled separately from day-to-day IT concerns, and healthcare organizations’ leadership structure should mirror this. Without a clear chain of command with regard to cyber security, everyone’s problem quickly becomes nobody’s problem.
To read the full article summary as it appeared in Managed Healthcare Executive, click here.