To protect sensitive patient data, healthcare organizations must first understand its value, according to Kevin Stine, manager of the Information Technology Laboratory (Security Outreach and Integration) at the National Institute of Standards and Technology (NIST).
In addition, he said in a recent interview with Health IT Security, organizations must understand the different threat models that exist for various connected devices and the different security considerations for addressing those risks in a meaningful way.
"All of your security strategies and solutions should stem from an understanding of the value of ... data," Stine said.
What's more, the key to cybersecurity preparedness, he said, involves having an incident response and recovery plan in place that's tested and part of a program of continuous improvement. That includes having a communications plan ready--both internal and external--in case of an incident.
"Make sure you've tested it and go through a process of improvement to make sure that plan continues to be, and that capability you have continues to be, effective given a variety of different types of cybersecurity events," Stine said.
Cora Han, a senior attorney with the Division of Privacy and Identity Protection at the Federal Trade Commission, stressed at an event in the District of Columbia in September that keeping security plans current is an ongoing process. She urged organizations to provide a process in which employees and others can reach out in the event of a spotted vulnerability.
NIST and the National Cybersecurity Center of Excellence (NCCoE) recently released a how-to draft guide for securing private and sensitive information stored on employees' mobile devices.
To learn more:
- read the interview