Follow the data to improve security preparedness, hospital CISO says

Healthcare organizations must shift their thinking about security to improve their preparedness, according to Joey Johnson, chief information security officer at Premise Health in Brentwood, Tenn.

Johnson, in an interview with HealthcareInfoSecurity, says that one of the biggest problems with healthcare data is that there are so many copies of it sent to pharmacies, insurers and other places.

"When one patient comes in ... by the end of the ecosystem, your data has been copied lots of times," he says. "HIPAA has governance of that, but even HIPAA peters out after a point. ... That means there's no single data set to control."

What's more, he says, with wearables entering the picture, there are increasing questions about where data lives, who's responsible for it and how to prioritize conflicting privacy issues.

Rather than focusing on compliance, Johnson urges organizations to focus on the location of healthcare data, how it moves and who has access to it. They should operate under the premise that they will have compromised assets.

Most organizations, he says, can't answer the question, "How would you know if you're leaking data?"

"If you read the headlines, they invariably say, '18 months ago or 24 months ago, this breach happened,' and we're just now finding out about it," Johnson says. "They're so focused on tools like antivirus software or data-loss-prevention tools, but they're actually missing it when the data is being absconded."

Healthcare organizations are subject to about one cyberattack per month, according to the Ponemon Institute, with attacks increasing in frequency and sophistication.

Meanwhile, lawmakers recently lambasted the Department of Human Services for "sluggish" response to developers' need for more technical guidance on HIPAA.

To learn more:
- listen to the HealthcareInfoSecurity interview