Healthcare Security Investments Through Risk Assessments

By Apac CIO Outlook | Monday, December 03, 2018

The healthcare industry has been going through a continuous shift from being a compliance-driven industry toward realizing that security is something different, and requires its own attention. The speed at which attackers are evolving is the single biggest challenge for the healthcare industry right now. There are risks to data, patient safety, care delivery, reputation, the business itself, and even the ability to earn money by delivering healthcare. Covered entities must understand which areas of their infrastructure are at the most risk and how those risk areas must be addressed.

Implementing a Cybersecurity Framework, Employee Training Programs

Cybersecurity frameworks fulfill various purposes for the healthcare industry. An ideal framework can help a company identify the risks associated with the organization. It can also help organizations identify its security goals, determine all the security gaps, and how to best address those existing gaps within the organization. Frameworks can also enable organizations to establish a standard terminology in terms of expressing its current state of security within the organization and with external stakeholders.

Healthcare organizations can also leverage cybersecurity frameworks to express their organization's risk tolerance and chosen governance approach. Frameworks can also be utilized to make numerous decisions encompassing staffing, training, security technologies, and budgeting. Such executive-level decisions will eventually need to be communicated and executed on a technical level as well.

Avoiding Disparate Cybersecurity Programs

Industry leaders suggest that a robust healthcare cybersecurity program needs to surround a top-down effort. Security needs to be driven by the business' requirements and executed on the technical level. In order to set the goals right, the executive and the technical teams must be able to communicate and connect to note down every detail.

Typically, frameworks can be implemented at a basic or advanced level depending on the company's requirement. Once that decision is made, an organization-wide framework can be set up and then executed accordingly.

Rather than taking the best-of-breed approach to security, it is much more efficient to use a partnership and strategic partner type of approach. This creates less overhead, fewer management concerns managing this technology, and also most likely constitutes a better vendor relationship. Organizations can have a deeper, more strategic relationship rather than just buying one technology here and another one there.