To ensure funds for your hospital's IT security efforts, be proactive

Looking to ensure funding for your healthcare organization's security efforts? You'd be wise to take a proactive approach, hospital IT personnel recently told HealthcareInfoSecurity.

Chuck Christian, CIO at Columbus, Ga.-based St. Francis Hospital, compared the task to buying insurance. "Getting and maintaining funding is always a chore; that is, unless you have an 'issue' that you've recently had to deal with," Christian said. "Project-specific funding is an approach, but these may be tied to physical hardware acquisitions; other projects may be related to program or risk analysis."

To that end, another method for increasing your odds of receiving funding is "project-iz[ing] risks" so they're more easily managed, according to Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth in Portland, Ore.

"This is not to say that security should be 'point-solution' based," Paidhrin told HealthcareInfoSecurity. "There needs to be a comprehensive security governance model, framework and action plan--a roadmap. But it can't be accomplished easily as a large, amorphous domain."

Despite the much publicized update to the HIPAA omnibus rule in January, many healthcare organizations remain in the dark with regard to privacy regulations, according to the U.S. Department of Health & Human Services' Office for Civil Rights. What's more, many healthcare organizations increasingly are leaving themselves open to data breaches, according to a recently published Ponemon Institute report.

However, a report published in February by (ISC)2 --a Palm Harbor, Fla.-based non-profit organization that administers the Certified Information Systems Security Professional (CISSP) certification--found that many healthcare security pros believe that their departments are understaffed.

John Houston, vice president and privacy and information security officer at UPMC, told HealthcareInfoSecurity that, due to the constant evolution of both services delivered and threats, security always must remain a priority.

"As all these factors shift, we need a security program that addresses that," Houston said. "[N]ow it's like warfare, it's like fighting in Iraq, where there are insurgents everywhere--there's a constant need to update and manage."

To learn more:
- read the full HealthcareInfoSecurity article