Knowing your data and where it resides is the most basic element in building a robust data-security plan, Cris Ewell, CISO of Seattle Children's Hospital, told Healthcare Info Security in an interview.
"You have to understand what the threats are and have a process to identify and mitigate those high risks," he said.
While lost or stolen devices and authorized access of records have been the biggest threats to healthcare organizations in the past, he sees an increase in hacking and targeted attacks.
Securing data is "not a technology problem, it's not a privacy problem, it's not just a security problem. It's an institutional problem," Ewell said. "You have to have the cooperation and participation of the entire enterprise."
Seattle Children's has an active and ongoing employee education program in its security and HIPAA compliance efforts. For example, it requires workers who use personal devices to register them with its information security department, which actively monitors the devices on the network on a daily basis--and if a worker adds a new or replacement device, staff asks what happened to the old one.
"You need to have roles and responsibilities clearly defined ahead of time. Know who's in charge of the incident, know your process and have an investigation method that you use to ensure you're addressing all the risk elements," Ewell said.
Meanwhile, a recent cybersecurity drill revealed that some healthcare organizations need to improve their "basic blocking and tackling," noted Kevin Charest, chief information security officer at the U.S. Department of Health and Human Services. He said organizations must be more willing to share information and best practices in order for the industry as a whole to improve.
To learn more:
- find the interview