JJ'Studio - Fotolia
SearchHealthIT spoke with Gary Seay, former senior vice president and CIO of Community Health Systems in Franklin, Tenn., one of the early victims of a healthcare data breach, about cybersecurity in healthcare. Seay retired at the end of 2015 and became principal of BrightWork Advisory, LLC., a practice focused on enabling innovative healthcare solution success. Seay talked to SearchHealthIT about what every healthcare organization should be doing to ward off cyberattacks and the specific technologies involved in maintaining cybersecurity in healthcare.
What would you say are the most important things a healthcare organization should do to remain secure?
Gary Seay: The first consideration should be a rigorous review of the nature of data actually being aggregated and stored. Personally identified data should absolutely be minimized. If it's required, it must be encrypted at rest. A lot of corporations, however, create data warehouses and repositories, fail to deidentify patients, creating very attractive honeypots for a cyberterrorist or an attacker to exploit.
What are the three most essential data security measures a healthcare organization should be taking? You mentioned encryption but what about network monitoring or penetration technologies, for example?
Seay: Let's talk a minute about active and passive defense ... strategies. So, active defense strategies include things like firewalls, blacklisting and scanning, patching, antivirus ... management, and so forth. Passive defense strategies include things, in my mind, like regular cyclical environmental scanning; behavior pattern monitoring and evaluation; two-factor and biometric authentication; and rigorously maintained, need-to-know, role-based data access management.
You mentioned encryption of data at rest, how important is it to also encrypt data in transit?
Seay: I guess I assumed that everyone today is robustly encrypting everything in transit; both internally and externally.
So that's something everyone should be doing?
Seay: Absolutely should be. ... Many of us have not been encrypting data at rest, presuming it's safe behind firewalls and other protections. That's an invalid assumption. We need to acknowledge that and move on -- either encrypt or aggressively deidentify. The objective is to create data repositories that have no legal or operating exposure inherent in them structurally. If that kind of structure is required, we must defend it.
If a healthcare organization hasn't embarked on the security measures we've talked about, what advice do you have for them as they start to use these technologies to effectively maintain cybersecurity in healthcare?
Seay: l would strongly advise engaging a reputable external expert to assess current protocol and practice, identifying structural weaknesses, opportunities for risk management, compliance, and improvement that require immediate investment and response. Prioritize other appropriate strategies, technology investments and protocols to continue reducing risk to approved levels with executive management. No one should be relying exclusively on internal resources irrespective of scale. When it comes to the issue of cyberthreat management and security compliance the challenge is establishing an externally obvious set of practices and protocols that demonstrate organization commitment to robust protection. It's about credibility, it's about trust, it's about objectivity. This cannot be accomplished relying exclusively on inside talent and introspective leadership.
Hear what Intermountain CISO has to say about healthcare data security.
Concerned about healthcare IoT security issues? Here's what to do about them.
Prepare for HIPAA audits by staying abreast of privacy and security controls.