There are day-to-day blocking and tackling tactics that every healthcare organization should be doing right now to reasonably address the current security threat landscape.
And there is guidance in the industry that can help organizations of all shapes and sizes protect themselves from cyber criminals and other miscreants.
"There is proven work that information security professionals have traditionally done, and we need to get these basics right, we need to be performing these functions," said Sanjeev Sah, chief information security officer and director of IS risk and controls at Texas Children's Hospital, where he recently completed work on a three-year strategic plan for security.
To help address security basics, Sah points to the Common Security Framework from the Health Information Trust Alliance, better known as HITRUST, and to the CIS Critical Security Controls developed by the National Security Agency, the U.S. Department of Energy and U.S. law enforcement organizations.
Learn more at the upcoming HIMSS and Healthcare IT News Privacy and Security Forum, May 11-12, 2016, in Los Angeles. Register here.
"Every CIO and CISO should consider focusing on critical controls and using a programmatic approach to achieve effective security," said Sah, who uses HITRUST Common Security Framework to "guide our programs and prioritize our approach to security. And then there is the CIS Critical Security Controls, which give you a prioritized approach in terms of implementing technical safeguards that may give you the best opportunity to protect the organization, especially if you are starting fresh."
At Texas Children's Hospital, for example, Sah ensures security technologies send alerts that clearly delineate what security and IT staff should be paying attention to, perhaps a potential advanced threat buried among hundreds of thousands of threats that merits the attention of the security team so staff can take meaningful action based on the level of the threat.
"A healthcare organization must ensure its posture is appropriate from a network security perspective and from an end-point security perspective," Sah said. "For example, an organization should handle critical systems and applications with a higher level of protection from a network perspective. And when it comes to end-points, an organization should ensure there are proper safeguards such as whitelisting and black-listing and encryption technology, actually employed on every device deployed. Basic measures go a long way in enabling people to do the right work, focused on the threats that require immediate and appropriate responses."
And then there is the human factor: The single most important factor here is education – and not just once in awhile, as traditionally has been done, but on an on-demand basis as threats emerge, Sah said.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
"Taking a proactive approach to educate employees about ransomware and the steps they can take to avoid that threat from taking a foothold in your network would be very helpful," he said.
"If a person does not click on a malicious message and download the malware that comes with it, that would prevent a threat from going any further. Beyond all the technical safeguards at play, education and awareness to effect change in user behavior is the paramount foundational step that must take place."
Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com