June 04, 2009, 8:30 PM — As the first Information Security Manager at a fairly large financial institution, I lived by trial and error for a while. Admittedly, I made mistakes along the way, but the good thing is I learned from them and most of the time put what I learned to use.
Working with managers at various types of organizations, such as health care providers, has also been a learning experience. I have learned that we are all human and are prone to seeing and reacting to new laws, major incidents, trends, etc. However, that is what I refer to as reactive Information Security Management. Realistically, that is the biggest problem with how information security has been deployed since we were charged with this task. It is how the vendors deploy solutions, and it is how senior management communicates concerns to information security management. “This solution will help you to address the latest phishing threats.” “How are we making sure that the congressman’s medical condition won’t show up in the newspapers, like it did at the hospital on the other side of town?”
The errors below are some critical mistakes that are made when dealing with information security in health care institutions. All of them are either directly or indirectly related to being reactive rather than having a proactive Information Security Risk Management program in place. After all, Information Security is about defining the critical information generated, assessing the risks to that information, and mitigating the risks by implementing controls and solutions that are consistent with the mission and objectives of the organization.
1. Presuming that HIPAA Compliance is Security – Legislators are concerned about their constituents, because that is who elects them. HIPAA was enacted as a reaction to security breaches of health care information about consumers. It is important to protect private health care information. Privacy is a major concern of security, but it is not the only concern.
Healthcare providers have created positions for Privacy Officers, strictly to comply with HIPAA. Some of those same organizations don’t even have a full time Information Security Officer. The three major concerns of information security are the confidentiality, integrity, and availability of information. Privacy is a part of confidentiality. The most critical security concern of health care organizations is the integrity and availability of information, rather than the privacy. Doctors and nurses require accurate information at all times to provide adequate care for patients.
By deploying disproportionate resources to protect privacy as opposed to the other security concerns, we are ineffectively managing resources.
2. Basing Security on the Systems Rather than the Critical Information – This mistake is one that I made initially when managing my security program. I developed policies but was ineffective at educating users. I spent a lot of money on protecting my systems. Firewalls, intrusion detection systems, filtering solutions, etc. were put into place. In the meantime, users with access to all of that information could easily walk out the door with paper reports full of critical information and I never would have known it unless a problem occurred. But I had the toys to protect my technology!
Security must be looked at holistically. Information is in all forms, not just on the systems. Information Security must assess the risks to information in all forms and in how it is transmitted from one party to another. Ignoring that principal results in many breaches that occur.
3. Ineffective Awareness Programs - Another lesson that I learned is that users care about security, but only if it does not interfere with what they have to get done. The key in that statement is that they DO care about security. The users’ main concern, whether it is the person entering information in the waiting room, nurses, lab workers, or physicians and administrators, is that information and systems are available to do their jobs.
Very few people want to disclose private information to the wrong parties, or intentionally enter inaccurate information about patients into a system. They recognize that security is important. However, ineffective awareness programs do not create the culture needed to protect information at the human level.
Information security awareness is about teaching people to be part of a team to protect information. There are ineffective and effective ways to accomplish this. Effective programs will result in users being alert to parties trying to get information or access they are not entitled to. These programs are not viewed as a nuisance, but as a persistent tool that can help users effectively perform their job.
Without an effective program, accidental security breaches are likely to occur.
4.
