With the rise of modern trends such as cloud computing and remote work, healthcare institutions strive to balance accessibility, convenience, and robust security.
In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Understanding the upcoming technological shifts and trends is crucial for preemptive preparation as we look toward the future.
The healthcare industry faces unique security challenges, especially with the increasing interconnectivity of systems. How important is it for organizations to obtain vendors who understand healthcare-specific security requirements?
Monitoring healthcare-specific security requirements is a full-time job. The amount of data processed at healthcare institutions grows exponentially, but it remains some of the most valuable information to the patients and—unfortunately—bad actors. These factors require a vendor’s mastery of healthcare-specific security requirements if technology is utilized by healthcare companies in any manner.
If a vendor does not appropriately respect the complex and evolving web of security obligations that healthcare institutions operate within, the vendor may not be able to build technology that is suitable for use by sophisticated healthcare enterprises.
Organizations should not shy away from holding vendors to a very high expectation of familiarity with security requirements within the healthcare industry. These organizations should look to healthcare-specific vendors who have a deep understanding of the standards, complexity, and sensitivity of these payments over non-healthcare-specific vendors.
How would you approach implementing a security program within a healthcare organization that meets the legal requirements and industry standards and goes beyond them to ensure maximum protection? What key elements or components should be included in such a program?
A well-tailored security program must be just that: tailored. Many security legal frameworks are moving from specificity in controls towards a discretionary-based approach. This “discretionary” standard is interpreted by governing bodies that interpret the leading-edge developments in the industry.
An organization must trace what data is stored or processed and ensure security controls are mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect data stored and processed.
The saying “one size fits all” is never true for how a security program is administered and applied in the healthcare technology industry, or any other industry. However, the fundamental principles are the same: understanding what data is processed by an organization, identifying true risks (internal and external) to the data, evaluating the impacts of those risks, and whether existing controls are adequate to reduce those risks to an acceptable standard.
Considering the recent trends in cybersecurity, such as the rise of cloud computing and remote work, what considerations should healthcare organizations keep in mind to maintain a strong security posture? How can they balance convenience and accessibility with the need for robust security measures?
Cloud computing and remote work are certainly unique trends, but there are always trends in one way or another whether occurring within the organization, the market, or geographically.
Sophisticated security organizations work hard to build flexible security programs, but it’s important to revisit the program on a fluid cadence to ensure that external or internal changes—small or big—are encompassed withing the security controls. For example, in response to COVID-19 many healthcare billing and revenue cycle teams transitioned to remote work. How does that impact payment acceptance security? Is it more important to adopt remote devices to accept secure, P2PE payments, or transition to a deviceless approach that prioritizes security and online patient engagement? These are all questions that providers have needed to answer in the last three years, and highlight the importance of an approach to security measures that welcome rather than avoid adaptation.
The evaluation of the suitability of a security control should not perform in a silo as it must consider business objectives to not weigh down the business unnecessarily. This evaluation may even warrant a reduced burden by offloading obligations to a qualified vendor or utilizing additional services from an existing vendor. For example, in payments, the move to Point-to-Point Encryption in payment systems can offload very complicated security burdens to a vendor while reducing administrative barriers. Companies may be surprised at how well new technologies being adapted within healthcare organization can protect data with more transparency all while promoting consumer-friendly accessibility and convenience (which are tenants of a good data governance program).
How can healthcare organizations foster a culture of security awareness among their employees?
It all starts with leadership that buys into the security program and understands that investment in a security culture is an investment in risk minimization. There are three ways a company’s leadership can fast-track a security-minded culture:
Establish a consistent awareness communication program, with friendly trainings and succinct reminders about security controls.
Ensure that security is considered at the first stages of any material initiative having to do with data or technology (this is “security-by-design” operational principles). Your security team needs to be a partner in business enablement.
Ensure the security team is proactive and available to other departments to ensure a clear line of sight where questions may arise. Expect your security department to be available and responsive.
How do you see the future of cybersecurity in the healthcare industry? What emerging technologies or trends do you believe will shape the landscape, and what steps should organizations take to prepare themselves for these changes?
Cybersecurity in the healthcare industry will be pushed to higher levels in at least two ways. First, legal frameworks that permit a discretionary application of security controls will reference security standards published from non-governmental security organizations as “industry standard.” These organizations have the resources and expertise to help set the standards of the industry. While this may mean more transparency of what are deemed acceptable standards, healthcare organizations may need to be subject to external third-party audits. Second, cybersecurity controls will continue to be bound together with privacy standards.
Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other. Sophisticated healthcare organizations are already managing to these predictions by eliminating silos between privacy and security operations, and ensuring a well-documented security program from policies to actions.
Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:
A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.
Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.
Direction and guidance from expert GDPR practitioners.
Includes two licenses for the GDPR Staff Awareness E-learning Course.
Organizations across the United States have a number of cybersecurity regulations to comply with, and need to show that they take protection of sensitive data seriously.
Consumer data in the US is currently protected by a patchwork of industry-specific, federal, and state laws, the scope and jurisdiction of which vary. The challenge of compliance for organizations that conduct business across all 50 states is considerable.
“Increased regulatory fragmentation unduly diverts focus and resources, and ultimately threatens to make us more vulnerable to cyber attacks. Instead of a fractured approach by state, we need a coordinated national strategy for regulating cybersecurity.”
For example, NY financial institutions will be required to implement security measures in order to protect themselves against cyber attacks from March 1, 2017. They will need to not only maintain a cybersecurity policy and program, appoint a CISO, and implement risk assessment controls and an incident response plan, they will also have to provide regular cybersecurity awareness training, conduct penetration testing, and identify vulnerabilities.
Fulfil multiple cybersecurity obligations and benefit from international information security best practice to produce a solid framework with the ISO 27001 Cybersecurity Documentation Toolkit.
Covering state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:
NIST SP 800-53
New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
ISO 27001, the internationally-recognized cybersecurity framework
Implement IT service management (ITSM) best practice the easy way with expert guidance and fully customizable pre-written documents created by ITIL® and ISO 20000 service management experts.
Guidance and documentation templates from service management experts to help all organizations improve their ITSM, adopt ITIL best practices, and/or achieve ISO 20000 registration
• Developed by service management gurus Shirley Lacy and Jenny Dugmore, the ITSM, ITIL & ISO/IEC 20000 Implementation Toolkit contains a complete set of tools and documentation templates, policies, and procedures that will enable organizations of all types and sizes to assess their current levels of service management and implement processes to deliver better services.
• Completely up to date with the latest editions of ITIL and ISO 20000, this toolkit makes administration and branding simple.
• The Office 2010 version features an integrated dashboard, allowing easy customization of templates, and one-click formatting.
• The ITSM, ITIL & ISO20000 Implementation Toolkit is the perfect investment for organizations that want an optimal route to implementing service management best practice, adopting ITIL, and/or achieving ISO/IEC 20000 registration.
Use SAVE15 at the checkout to save 15% on toolkit, containing all of the pre-written documents you need to accelerate your management system projects. Offer expires Monday August 31 2015.
ITGP: Thanks for speaking to us Andy. Let’s begin with your book. Most books on ISO9000 only cover the rules and requirements of ISO9000 and how you might implement it. Your book seems more ambitious. What was your thinking behind Exploding the Myths?
AN: I decided to write Exploding the Myths Surrounding ISO9000 as people are often confused about the purpose of implementing a quality management system to meet ISO9000, and what third-party certification involves. Some common myths have endured for more than 20 years – one of them being that ISO9000 is: “say what you do, do what you say”. I felt it was a good time to expose these myths and provide practical guidance on what an organization should consider, instead, when implementing ISO9000 and preparing for external certification.
ITGP: You felt there was confusion regarding the purpose of ISO9000 and certification?
AN: When I look at various online forums, people are posting questions about the basics of quality management and are clearly confused. Although, as you say, there are many books describing how to implement a quality management system, the background to ISO standards etc., these are mainly written from the theoretical point of view. Little has been written to address the “hearsay” which has accompanied the development of ISO9000 over the past 25 years.
ITGP: It sounds like this advice is long overdue and based on plenty of experience. How did you get started in quality management?
AN: I began my career in Quality back in the late 1970s. We relied very heavily on inspection and QC in those days. Luckily, in the mid-to-late 1980s, I was responsible for developing a quality management system to meet a NATO contract requirement using AQAP-1, which is the “great grand daddy” of what we know as ISO9001 today. We did what the AQAP-1 quality requirements told us, and delivered fault-free equipment and installed it without a hitch. This allowed me to pursue roles as implementer, supplier, quality and certification body auditor, as well as consultant and trainer.
ITGP: So, you’ve been meeting customers’ quality requirements right from the beginning of your career?
AN: Yes. The experience of implementing a quality management system to meet a customer’s contract provided an excellent foundation for understanding the basics of implementing quality management systems, without the confusion of third-party certification.
ITGP: Based on all your experience, can I ask what advice you have for those just beginning to use and implement ISO9000?
AN: For those starting out in quality management, and evaluating implementation of ISO 9000 it’s important to remember that much of what is required is already being done, if you are satisfying your customers. What’s needed is some formality to those processes and activities which are working well and then to work on improving them. ISO 9000 brings about a maturity in the way an organisation operates and then requires that management takes a long hard look at its performance and asks what needs correction and what needs improving.
If any organisation finds itself doing something “because of ISO” or “to keep an auditor happy”, then they have to question why this is happening.
ITGP: One final question before we run out of time. Â Are there particular parts of your work that you enjoy?
AN: In my position as certification body sales manager, I’ve found that assisting clients in understanding the certification process, what’s expected at each step and how to be successful is the most rewarding. Many organizations are new to the process of certification – even though they may have experience of customer audits, security audits etc. Being able to complete their knowledge, before they select a certification body and begin the process is enjoyable.
ITGP: I can appreciate that ensuring the client is properly informed is very important in making the right choices about ISO9000 and certification. I guess that’s also what made you write the book in the first place.  We’re out of time sadly, but many thanks for speaking to us.
English: ITIL Service Desk (Photo credit: Wikipedia)
Enhanced IT Service Management though integrated management frameworks
Learn how to integrate COBIT®, ITIL® and ISO/IEC 20000 for better IT Service Management
With the increasing popularity of ITIL® as a framework for IT Service Management (ITSM), a number of organizations have realized that this approach is sometimes not enough on its own. As a result, service managers are looking for ways to enhance their ITIL-based ITSM without having to throw it away and start again. Many are already working towards compliance with ISO/IEC 20000 — the International Standard for IT Service Management. With the recent release of COBIT®5, service management practitioners have even more options. However, until now, there has been little guidance on how to merge these frameworks, standards and methodologies to develop best practice across the ITSM function and produce a robust enterprise philosophy for service delivery.
Guidance on creating an integrated system
Written by service management gurus Suzanne D. Van Hove and Mark Thomas, Pragmatic Application of Service Management is the first book to provide guidance on creating an integrated system based on the three leading service management approaches: COBIT®5, ISO/IEC 20000 and ITIL and, to provide a unique mapping to assist service management practitioners in their information gathering. This practical book presents a holistic view of the three and enables service managers to immediately adapt and deploy the guidance, quickly improving their ITSM function.
Create a stronger, more robust Service Management System
Packed with instructive illustrations and helpful tables, this book is ideal for service managers, consultants, auditors and anyone who is considering adopting, adapting or merging COBIT®5, ISO/IEC 20000 and ITIL. Through mini case studies, the authors apply their unique Five Anchor Approach to demonstrate how the improvement aspects of COBIT®5, ISO/IEC 20000 and ITIL can help identify and deal with common problems faced by today’s organizations. Read this book to learn how to merge COBIT®5, ISO/IEC 20000 and ITIL for better service management
About the Authors
Dr Suzanne D. Van Hove is the founder and CEO of SED-IT. A prior Board member of itSMF USA and recipient of the Industry Knowledge Award as well as Lifetime Achievement, she is an advocate for professionalism within Service Management.
Mark Thomas is the founder and President of Escoute, LLC, an IT Governance consultant as well as the previous President of the itSMF USA Kansas City LIG and COBIT® SIG. As a well- known ITIL and COBIT® expert with over 20 years of professional experience, Mark’s background spans leadership roles from datacenter CIO to Management and IT Consulting. Mark has led large teams in outsourced IT arrangements, conducted PMO, Service Management and governance activities for major project teams and managed enterprise applications implementations across multiple industries.
New IT-GRC Glossary from IT Governance designed to simplify industry terms
IT Governance Ltd, the single source provider of IT governance, risk management and compliance (IT-GRC), has just published a glossary on their website.
The IT-GRC glossary is designed to help IT professionals recognize the wide range of acronyms used within the industry to further their understanding and avoid confusion.
Currently there are 70 terms in the glossary and IT Governance is looking to grow this significantly. IT Governance is encouraging readers to contribute to the glossary with new terms or refined definitions so that the glossary continues to develop and become a resource for IT professionals to use worldwide.
The glossary contains a wide range of IT governance terms, including information security, business continuity, quality management, IT service management and IT governance topics. The glossary is arranged alphabetically and provides easy-to-use definitions that drop down when clicked. The definitions have been written and edited by industry experts and link to information pages for further guidance. View the glossary:
Founder and Executive Chairman of IT Governance Ltd, Alan Calder, explains the reasons behind developing the glossary: “The industry within which we operate in contains a huge number of shortened phrases and acronyms which can be somewhat confusing for those starting out in their career. With different associations, institutions, standards, frameworks and certificates to remember, we decided it was important to start documenting these terms so that beginners would have a useful source to refer to.”
This new resource further strengthens the IT Governance mission statement of “approaching IT from a non-technology background and talking to management in their own language”. The glossary reduces industry jargon and simplifies terms for IT professionals.
The glossary has been added to the growing number of resources offered from IT Governance, which includes a wide number of green papers, product demos and case studies – all which are freely available to download.
Are you implementing, or thinking about implementing, the COBIT 5 framework?
ITG COBIT bookstore includes all the titles you’ll need to help support your implementation of COBIT 5 and get the most out of this IT governance control framework.
A guide to optimising resources and minimising risk, using the COBIT 5 framework to establish appropriate standards of security for the introduction of new technology.
In this manual you will be shown how the relevant frameworks, best practices and standards for information security can be adapted to form a cohesive framework using COBIT 5.
The Governance & Control Toolkit has been designed to help simplify the complex implementation of COBIT 5. Containing all the documents and policy templates you’ll need to cover the 37 COBIT processes this toolkit will dramatically speed up your implementation project.
Download one of IT Governance industry leading ebooks. IT Governance source and publish titles on cyber security, compliance, project management, risk and IT service management.
Fantastic Reads… All Better Priced Than Amazon
Learn and stay ahead on your topic of choice. download an ebook today!
ISO22301: A Pocket Guide is designed to help you do what is necessary to satisfy the requirements of ISO22301. With the expert advice contained in this guide, you can ensure your organisation develops a business continuity plan that is fit for purpose.
30 Key Questions that Unlock Management is a book that provides direct responses to real questions posed by real people in management. Each section contains practical advice and immediate steps you can take to deal with the issue at hand.
Brush up on your soft skills and see the working relationships with your IT Audit clients flourish. Exploring how and why an auditor can remain trapped in an ascribed role, this book fills a gap in the market by helping the reader to avoid the traditional finger-pointing stance and instead become a convincing partner with business and technology counterparts.
Running IT like a Business will show you how your IT function can add real value to your business, taking guidance from Accenture who doubled its revenue in ten years. With clear strategies, helpful diagrams and real-life examples, this book will give you the keys to unlocking your IT function’s hidden potential.
Understand how to bring your SAP projects in on time and within budget with the help of this guide, written by Project Management Professional and Certified ScrumMaster, Sean Robson.
This pocket guide describes the crucial issues of Corporate IT governance and guides how to align with organization business objectives.
This book is easy to read and understand for both technical and non-tecnical readers and very useful for IT Governance, IT Audit and information security professionals. This book include the IT Governance framework (Calder Moir) which guides the professional on how to align the IT governance with business goals of an organization.
This pocket guide describes the drivers for IT governance
why it matters; the relationship between IT governance, risk management, information risk, project governance and compliance risk; lists the symptoms of inadequate IT governance and the benefits that can be won by implementing an IT governance framework, and describes – in principle – how to go about doing this.
This pocket guide covers:
Why IT Governance Matters
Drivers for IT Governance
Strategic and Operational Risk Management
Symptoms of Inadequate IT Governance
What is an IT Governance Framework?
Benefits of an IT Governance Framework
The Calder-Moir IT Governance Framework
This is a good overview of this important subject from the author of IT Governance: Guidelines for Directors.
Wouldn’t it be nice to have someone doing all the dull stuff for you?
1. The IT Governance documentation toolkit contains 1591 pages of pre-written policies, procedures, checklists, guidance, presentations, planning tools and diagrams.
2. The IT Governance documentation toolkit can save you thousands of pounds, countless hours of time and an awful lot of stress.
3. The IT Governance framework integrates CobiT, ITIL, ISO27001/2, ISO20000, Prince2, PMBOK, TOGAF and many other concepts.
4. The IT Governance documentation toolkit is cheaper than one day of consultancy.
, the internationally-recognized cybersecurity framework
