Building a culture of security awareness in healthcare begins with leadership

With the rise of modern trends such as cloud computing and remote work, healthcare institutions strive to balance accessibility, convenience, and robust security.

In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Understanding the upcoming technological shifts and trends is crucial for preemptive preparation as we look toward the future.

The healthcare industry faces unique security challenges, especially with the increasing interconnectivity of systems. How important is it for organizations to obtain vendors who understand healthcare-specific security requirements?

Monitoring healthcare-specific security requirements is a full-time job. The amount of data processed at healthcare institutions grows exponentially, but it remains some of the most valuable information to the patients and—unfortunately—bad actors. These factors require a vendor’s mastery of healthcare-specific security requirements if technology is utilized by healthcare companies in any manner.

If a vendor does not appropriately respect the complex and evolving web of security obligations that healthcare institutions operate within, the vendor may not be able to build technology that is suitable for use by sophisticated healthcare enterprises.

Organizations should not shy away from holding vendors to a very high expectation of familiarity with security requirements within the healthcare industry. These organizations should look to healthcare-specific vendors who have a deep understanding of the standards, complexity, and sensitivity of these payments over non-healthcare-specific vendors.

How would you approach implementing a security program within a healthcare organization that meets the legal requirements and industry standards and goes beyond them to ensure maximum protection? What key elements or components should be included in such a program?

A well-tailored security program must be just that: tailored. Many security legal frameworks are moving from specificity in controls towards a discretionary-based approach. This “discretionary” standard is interpreted by governing bodies that interpret the leading-edge developments in the industry.

An organization must trace what data is stored or processed and ensure security controls are mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect data stored and processed.

The saying “one size fits all” is never true for how a security program is administered and applied in the healthcare technology industry, or any other industry. However, the fundamental principles are the same: understanding what data is processed by an organization, identifying true risks (internal and external) to the data, evaluating the impacts of those risks, and whether existing controls are adequate to reduce those risks to an acceptable standard.

Considering the recent trends in cybersecurity, such as the rise of cloud computing and remote work, what considerations should healthcare organizations keep in mind to maintain a strong security posture? How can they balance convenience and accessibility with the need for robust security measures?

Cloud computing and remote work are certainly unique trends, but there are always trends in one way or another whether occurring within the organization, the market, or geographically.

Sophisticated security organizations work hard to build flexible security programs, but it’s important to revisit the program on a fluid cadence to ensure that external or internal changes—small or big—are encompassed withing the security controls. For example, in response to COVID-19 many healthcare billing and revenue cycle teams transitioned to remote work. How does that impact payment acceptance security? Is it more important to adopt remote devices to accept secure, P2PE payments, or transition to a deviceless approach that prioritizes security and online patient engagement? These are all questions that providers have needed to answer in the last three years, and highlight the importance of an approach to security measures that welcome rather than avoid adaptation.

The evaluation of the suitability of a security control should not perform in a silo as it must consider business objectives to not weigh down the business unnecessarily. This evaluation may even warrant a reduced burden by offloading obligations to a qualified vendor or utilizing additional services from an existing vendor. For example, in payments, the move to Point-to-Point Encryption in payment systems can offload very complicated security burdens to a vendor while reducing administrative barriers. Companies may be surprised at how well new technologies being adapted within healthcare organization can protect data with more transparency all while promoting consumer-friendly accessibility and convenience (which are tenants of a good data governance program).

How can healthcare organizations foster a culture of security awareness among their employees?

It all starts with leadership that buys into the security program and understands that investment in a security culture is an investment in risk minimization. There are three ways a company’s leadership can fast-track a security-minded culture:

• Establish a consistent awareness communication program, with friendly trainings and succinct reminders about security controls.
• Ensure that security is considered at the first stages of any material initiative having to do with data or technology (this is “security-by-design” operational principles). Your security team needs to be a partner in business enablement.
• Ensure the security team is proactive and available to other departments to ensure a clear line of sight where questions may arise. Expect your security department to be available and responsive.

How do you see the future of cybersecurity in the healthcare industry? What emerging technologies or trends do you believe will shape the landscape, and what steps should organizations take to prepare themselves for these changes?

Cybersecurity in the healthcare industry will be pushed to higher levels in at least two ways. First, legal frameworks that permit a discretionary application of security controls will reference security standards published from non-governmental security organizations as “industry standard.” These organizations have the resources and expertise to help set the standards of the industry. While this may mean more transparency of what are deemed acceptable standards, healthcare organizations may need to be subject to external third-party audits. Second, cybersecurity controls will continue to be bound together with privacy standards.

Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other. Sophisticated healthcare organizations are already managing to these predictions by eliminating silos between privacy and security operations, and ensuring a well-documented security program from policies to actions.