Tuesday, February 21, 2017

What healthcare agencies require hearing from their Chief Information Security Officers?

After almost 8 years as chief information security officer (CISO) at the institute of Temple Health University Health System, Mitch Parker last September joined Indiana University Health. There, he told executives what he had told his team at Temple—cyber threats aren’t an information technology department issue but a security issue. Chief Information Security Officers who are new to an agency need to stress the problems that cyber threats represent and the adequacy, or lack thereof, of current security procedures, Parker stated Sunday during a presentation at HIMSS17.

That initiates with educating other executives about breaches—why they occur in the first place, the significance of discussing the technology behind breaches, but most significantly, the procedures and failures that cause breaches.

Chief Information Security Officers (CISOs) should talk about the cyber atmosphere using non-biased sources from firms like Gartner, Ponemon and health insurers to report to coworkers on trends and emerging threats. And Chief Information Security Officers (CISOs) require insisting that the agency join cyber threat sharing initiatives across their region and the industry.

Information security must be tied to 2 enterprise levels—information systems and the organization strategy, Parker stressed. “Metrics need to concentrate on augmenting and supporting the overall strategy,” he adds.

Parker recommended adopting the Lean methodology for improving security performance, as the program is all about process improvements and asking why less than optimal processes continue to exist. And workers responsible for information security, regardless of where in the agency, should be told that they require understanding Lean.

Moreover, Lean should be utilized to design and maintain systems covering business customers, enterprise architecture, legal contracting, compliance, supply chain and enterprise risk scoring, making sure that several teams are on the same page with security.

This is grunt work, Parker cautioned: “You cannot buy your way into this.”

If an agency decides to purchase cyber insurance, it must understand the requirement to complete a comprehensive risk assessment that includes pointed queries to determine the strength of the security program. Not merely are insurers looking for that assessment, but so also is the HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules.

Good information security, Parker claimed, has its hooks in clinical risk management, insurance, emergency preparedness, privacy, corporate compliance, supply chain, revenue cycle, information management and Joint Commission requirements, among others.

To be victorious with this laundry list, an agency must embrace change management in an overall enterprise model, Parker advised. “If one player claims, ‘I do my own change management,’ it will not work. Either there is one change management program or there is none.”

 

No comments:

Post a Comment