“Remedying the problem starts with a good look at how health-care-related software is built and making sure that security is a priority,” Wysopal says.
Changing the mind-set
Part of the security crisis in health care security is cultural. As long as the efforts of IT and security personnel are seen as less significant than that of medical professionals, conflict will ensue.
Security awareness is necessary -- but it must be balanced against the fact that much of the staff has demanding schedules and may be inclined to skip training.
Health care’s rigid focus on compliance, especially the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is part of the problem. While maintaining patient privacy is important, the hyperfocus on maintaining compliance opens gaps in network and endpoint security. Recent attacks show that HIPAA compliance doesn’t mean much if employees are susceptible to social engineering and hand over their login credentials, as happened with the Blue Shield breach -- or if laptops containing employee records aren’t encrypted and get lost, or if computers running outdated software are vulnerable to web-based attacks.
The balance of power is lopsided in health care organizations. Despite the abundance of valuable data and technology, the bulk of the decision-making authority rests with doctors and medical personnel, not IT. At budget time, IT and security spending typically takes a backseat to buying new medical systems and hiring additional medical staff.
That needs to change. Without proper IT and security management, health care organizations will find their ability to offer quality care compromised.
Sign up for CIO Asia eNewsletters.