Where should healthcare organization focus their security spending in 2014? With cyber attacks growing more sophisticated and with more severe regulatory enforcement in place, it's a vital question, John D. Halamka (pictured right), chief information officer of Boston's Beth Israel Deaconess Medical Center, writes on his "Life as a Healthcare CIO" blog.
His spending wish list includes:
- Denial of service/distributed denial of service mitigation: The attack against Boston Children's Hospital earlier this month illustrates the threat posed by overwhelmed servers. Not only can cloud-based services be disrupted, but networked medical devices can even inadvertently be affected. It's better to be prepared than reactive, Halamka points out, advocating for appliances and services to reduce the impact.
- Security information and event management: Threat analysis based on multiple data streams--technology that makes sense of all the log files being produced--is vital to identifying threats and managing them, he says.
- Network forensics: Reconstructing who did what when becomes essential in reporting incidents to authorities or in prosecution. Eighty percent of respondents to a recent HIMSS security survey cited insider snooping a motivator behind their own data-security efforts. Though HIPAA audits are expected to be narrower starting this fall, healthcare organizations must ensure that their documentation is meticulous, Adam Green, a privacy attorney with Washington, D.C.-based law firm Davis Wright Tremaine, has warned.
Meanwhile, Scott Erven, head of information security at Essentia Health, revealed how ridiculously easy it is to hack medical devices and the alarming potential that exists to do harm.
One of the lessons from the recent cyber attack simulation CyberRX was a need for more information-sharing within healthcare--rather than worry about liability--to advance security across the industry as a whole.
To learn more:
- find the blog post