Why security requires a data-driven approach

Healthcare organizations must take a data-driven approach when it comes to security efforts, David Severski, manager of the information security program at Seattle Children's Hospital, tells Healthcare IT News.

He likens the use of data in security and risk management to evidence-based medicine.

In addition, because no health organization has unlimited resources, it has to prioritize. At Seattle Children's, Severski says his team provides data-driven analyses to upper management to help them do that. The health system has a program to pull in data to compare threats against their associated risk.

As security expert Kevin Fu has pointed out, security must be clearly defined and measurable.

One area that needs attention is patch management, Severski says. It's not possible to patch every workstation, medical device and server at once. So where should the organization focus its resources? To determine that, Seattle Children's security team identifies what needs to be protected, what the assets do for the institution, the data the assets can access and how attackers can reach those assets.

With an electronic health record system buried in deep layers of security on an internal network, there could be other means of attack that are more important to address than patching, he adds.

"If you are not applying a data-driven, scientific approach to managing your resources, you are managing at best by instinct," he says. "And in a competitive business world, instinct is not enough."

To learn more:
- here's the article