How federal cybersecurity measures can apply to healthcare
Erin McCann, Contributing Editor
Risk management never ends, says Jason Gates, an analyst in the engagement and resilience branch within the Office of Cybersecurity and Communications at Homeland Security.
“New cyber threats, vulnerabilities and consequences require the constant modification of risk management strategy,” he told attendees of a Nov. 14 virtual event focused on security within the healthcare industry.
This strategy proves necessary at every level of a healthcare organization, he said, including assets, facilities, IT systems, security and legal teams. If these strategies are implemented and maintained properly, and staff is trained appropriately, it can help avoid a whole lot of drama.
Some 94 percent of healthcare organizations have reported at least one HIPAA breach, according to a 2012 study from the Ponemon Institute. But 52 percent of those breaches were found during an audit or an assessment, Gates noted. So it’s worth being pro-active.
Gates suggested healthcare organizations follow a five-step cybersecurity risk approach that the DHS uses on a national level, the cybersecurity assessment and risk management approach, or CARMA.
The first step of CARMA is discovering the scope of your planned cyber risk management activity. In other words, asking the right questions. Who and what will be involved — single assets or departments?
“Have you identified the right people from each department?” asked Gates. You’ll need representatives from IT, clinical and other departments.
The second step involves identifying the cyber infrastructure that supports the sector’s critical function. So this includes electronic information and communication system, hardware, software that processes, stores and communicates information.
Three types of cyber infrastructure, said Gates, are business systems, control systems and access controls.
Then it’s onto conducting a cyber risk assessments. This involves identifying threats and vulnerabilities, and documenting any risk management that your group currently has in place.