Why 'prevention security' isn't enough in healthcare

Data security is one of the healthcare industry's biggest obstacles, and the key to addressing that is understanding and identifying areas of risk, says Blair Smith, Ph.D., dean of Informatics-Management-Technology at American Sentinel University.

Smith, in an interview with HealthITSecurity.com, says some of the places where risk is highest in health IT include the practice of "bring your own devices" and cloud security. Mobile devices pose serious concerns for security personnel, he says, as more hackers and outside threats bring exposure and risks to organizations.

Just this week one of the biggest cyberattacks on a healthcare organization was announced. Community Health Systems is facing a breach in which the data of 4.5 million patients was compromised.

Smith tells HealthITSecurity.com that the industry has to "move beyond prevention security to proactive response technology."

Rogue employees also have to be a concern for facilities, according to Smith. Employees have easy access to data, he says, which they can take advantage of. To that end, security education through degrees and certifications is necessary to address those problems, Smith says.

In addition, he says, items including the Office of the National Coordinator for Healthcare Information Technology HIPAA risk-assessment tool or the HITRUST Common Security Framework also are helpful.

Through the U.S. Department of Health and Human Services and HITRUST, the industry is working on ways to mitigate risk. 

In April, HHS and HITRUST started monthly threat briefings to address recent and ongoing cyberthreats. And in March, they conducted a cyberattack simulation, which showed that there are many areas in which healthcare organizations need to improve security efforts and training, including collaboration and preparedness.

The Indian Health Service, a HHS agency, also did a mock cyberattack in March. It failed the test.

To learn more:
- read the Health IT Security interview