The 17th annual HealthCare’s Most Wired™ survey was released last month by the American Hospital Association (AHA) and the College of Healthcare Information Management Executives (CHIME). Health data security and patient engagement were listed as top priorities, according to the survey, with privacy audit systems, provisioning systems, data loss prevention, single sign-on and identity management listed as areas that showed the most growth.
Moreover, various healthcare providers were named to the “Most Wired” Hospital list in 2015, for proving that not only are they tech-savvy, but are committed to improving patient care and health data security measures.
Grants, New Mexico-based Cibola General Hospital was one such healthcare provider that was named “Most Wired.”
Improving health data security and privacy measures by regularly checking for flaws is essential, according to Cibola Director of Information Technology Rick Smith. Implementing the services of an “ethical hacker” was just one example that he gave in an email interview with HealthITSecurity.com of how healthcare organizations can ensure that their data security measures are properly maintained.
HealthITSecurity.com: What does it mean to Cibola to be named one of the Most Wired Hospitals?
RICK SMITH: It means that we are being recognized for our commitment to security, identity management, the underlying technologies necessary to support clearly defined business needs and CMS requirements. It also represents leadership and support from our Board of Directors and our Senior Management team. Last but certainly not least, it demonstrates our commitment to patient involvement in their individual care plans. There are only two hospitals in New Mexico which received this award. Presbyterian Hospital in Albuquerque, which is huge, and a tiny little 25 bed critical access hospital in Grants, New Mexico. This speaks volumes.
HITS.com: How has Cibola worked to improve its privacy and security measures, along with implementing new technologies?
RS: On an annual basis, we engage the services of an “Ethical Hacker” to find any vulnerabilities in our network. The few potential vulnerabilities we had discovered were addressed immediately. We have implemented an SSO (Single Sign On) Solution, which empowers staff to manage their user accounts and passwords more effectively and efficiently. We have worked with QHR (Quorum Health Resources) to perform Risk Assessments and then remediated any weaknesses we have discovered. We have created ongoing reminders for our staff regarding the need for sound security practice.
We have created an intranet page, accessible only from our network, which we leverage to create ongoing reminders. When any user logs into the network, the first thing they see is our intranet page, so that they don’t have to go to it. It comes to them automagically.
We have implemented web content filtering, using a Barracuda Networks appliance. This too mitigates our potential exposure to web sites that staff don’t even know can be harmful.
We have cultivated trusted relationships with several business partners, who understand our unique business needs as regards security and privacy. Solutions they recommend to us conform to our standards.
HITS.com: In your opinion, what are top health data privacy/security issues in 2015?
RS: Senior Management not fully understanding the risks, lax to non-existent security practices, a lack of documented policy and procedures, and the relative expense of automated tools to monitor firewalls, servers and workstations.
HITS.com: In light of recent large-scale data breaches (i.e. Anthem and Premera), what are important takeaways for healthcare organizations?
RS: Trust and verify. The mere fact that a vendor says that a solution is safe does not make it safe. The fully loaded cost of a project is verifying that a solution and your data are safe.
Document, advertise and enforce policy and procedure. Everyone needs to know why certain internet services are blocked. Social media can be an important part of doing business, but not at the risk of giving up the farm.
Additionally, risk analysis is a critical component of risk management. If you want to know how vulnerable your network is to hackers, pay an ethical hacker to find a way in and don’t be afraid of the outcome. If your hacker discovers vulnerabilities, measure them and put a plan together to mitigate or eliminate that risk.
HITS.com: What do you think the outlook is for healthcare privacy and security? Will organizations ever be able to “get ahead” of cyber attackers?
RS: As long as there is a reward, be it monetary or mere notoriety, for breaking into corporate networks, there will be those who try. The only way to protect yourself is through being ever vigilant. If a user isn’t authorized, then they don’t get access. Use session timeouts on all applications. Document, implement and enforce sound security practices. Implement the latest edge devices to strictly control who has access to your network. Security isn’t a part time, once in a while job.
Sign up to receive our newsletter and access our resources