From the January/February 2018 issue of HealthCare Business News magazine
HCB News: What cybersecurity strategies has your health care organization been focusing on in the last year?
SH: The past year, which has been a major reality check for the health care industry, has made us honestly assess our vulnerabilities so we understand our risks. After this assessment, we created an action plan and timeline for fixing risks or any other identified issues. We have also worked on making sure we are adequately staffed from cybersecurity and privacy perspectives.
We also conducted a cybersecurity audit and are now looking at creating a cybersecurity response team. This team would look at incidents to determine if they are cyber in nature, and who needs to respond, with the ultimate goal of containing any breaches. Through this team, we would also evaluate how privacy comes into play in our cyber response, and how to determine if a breach occurred. Our assessments show how our response plan must go even deeper to include questions such as who do we key up from our media people, how do we involve the quality care office, what is the role of administration and other key factors. It is quite an undertaking, and why we are evaluating the need for a cyber response team.
We know it's not a matter of if a breach happens, but when, and we must be organized and understand how we will address these things when they do happen. It must be an organizational plan, not just privacy or just security. We know personal health information is the most valuable information on the black market, meaning privacy should always be involved, but we also must consider what role we play in touching the data forensically. We want the right people touching and analyzing the data.
HCB News: Have you encountered any challenges in implementing those strategies? If so, how did you overcome them?
SH: To be honest, the answer is no. Maybe it's because of the times we're living in or the numerous incidents happening to organizations of all sizes and types accompanied by backlash and other issues. Our organization leaders are understanding that time is beneficial for both being prepared and in terms of responding. We have received total buy-in from everyone in the organization, including the administration and the board. This is a great development, as the trust demanded from patients must come from the top down. Our board and executives are buying in, and wanting to know more as they're seeing the backlash and the effect on the organization's reputation in the media. The time is right, and the support is incredible, as we continue our readiness assessment and establishing cybersecurity task force and response teams.
