As healthcare institutions increasingly turn to modern trends such as cloud computing and remote work to balance accessibility, convenience, and strong security, fostering a culture of security awareness has become paramount for these organizations. In a recent interview with Help Net Security, Ken Briggs, General Counsel at Salucro, emphasized the importance of understanding the upcoming technological shifts and trends as crucial for preemptive preparation as we look toward the future.
With the increasing interconnectivity of healthcare systems, the industry faces unique security challenges. Monitoring healthcare-specific security requirements is therefore a full-time job, and organizations must aim to obtain vendors who have a deep understanding of the standards, complexity, and sensitivity required by the healthcare industry. The vendor must also be able to build technology that is suitable for use by sophisticated healthcare enterprises. Organizations should thus hold vendors to a high expectation of familiarity with security requirements within the healthcare industry and opt for healthcare-specific vendors whenever possible.
To implement a security program within a healthcare organization that meets legal requirements and industry standards and goes beyond them to ensure maximum protection, a well-tailored security program is necessary. What data is stored or processed must be traced, and security controls mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect stored and processed data. However, the fundamental principles of identifying true risks, evaluating the impacts of those risks, and reducing those risks through existing controls remain the same.
The rise of cloud computing and remote work, among other trends, poses unique considerations that healthcare organizations need to keep in mind to maintain a strong security posture while balancing convenience and accessibility. Sophisticated security organizations work hard to build flexible security programs but must revisit the program on a fluid cadence to ensure that external or internal changes are encompassed within the security controls. Evaluation of the suitability of a security control should not be performed in a silo as it must consider business objectives to not weigh down the business unnecessarily. The move to Point-to-Point Encryption in payment systems can be offloaded to a vendor while reducing administrative barriers.
To foster a culture of security awareness among employees, leadership that buys into the security program and understands investment in a security culture is an investment in risk minimization is required. A consistent awareness communication program, security-by-design operational principles and ensuring that the security team is available to answer questions are the fast track to creating a security-minded culture.
As for the future of cybersecurity in the healthcare industry, cybersecurity controls will continue to be bound together with privacy standards. Sophisticated healthcare organizations are already eliminating silos between privacy and security operations and ensuring a well-documented security program from policies to actions. Legal frameworks will permit a discretionary application of security controls, referencing security standards published from non-governmental security organizations as “industry standard.” This may mean more transparency of what is deemed an acceptable standard, but healthcare organizations may need to be subject to external third-party audits. Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other.
In conclusion, healthcare institutions should strive to balance accessibility, convenience, and strong security as they turn to modern trends such as cloud computing and remote work. Fostering a culture of security awareness, obtaining vendors who have a deep understanding of the healthcare industry’s unique security requirements, tailor-making security programs, and keeping up with the emerging trends and cybersecurity measures are all paramount for healthcare organizations to protect sensitive data and stay ahead of the curve.