June 04, 2009, 8:30 PM — As the first Information Security Manager at a fairly large financial institution, I lived by trial and error for a while. Admittedly, I made mistakes along the way, but the good thing is I learned from them and most of the time put what I learned to use.
Working with managers at various types of organizations, such as health care providers, has also been a learning experience. I have learned that we are all human and are prone to seeing and reacting to new laws, major incidents, trends, etc. However, that is what I refer to as reactive Information Security Management. Realistically, that is the biggest problem with how information security has been deployed since we were charged with this task. It is how the vendors deploy solutions, and it is how senior management communicates concerns to information security management. “This solution will help you to address the latest phishing threats.” “How are we making sure that the congressman’s medical condition won’t show up in the newspapers, like it did at the hospital on the other side of town?”
The errors below are some critical mistakes that are made when dealing with information security in health care institutions. All of them are either directly or indirectly related to being reactive rather than having a proactive Information Security Risk Management program in place. After all, Information Security is about defining the critical information generated, assessing the risks to that information, and mitigating the risks by implementing controls and solutions that are consistent with the mission and objectives of the organization.
1. Presuming that HIPAA Compliance is Security – Legislators are concerned about their constituents, because that is who elects them. HIPAA was enacted as a reaction to security breaches of health care information about consumers. It is important to protect private health care information. Privacy is a major concern of security, but it is not the only concern.
Healthcare providers have created positions for Privacy Officers, strictly to comply with HIPAA. Some of those same organizations don’t even have a full time Information Security Officer. The three major concerns of information security are the confidentiality, integrity, and availability of information. Privacy is a part of confidentiality. The most critical security concern of health care organizations is the integrity and availability of information, rather than the privacy. Doctors and nurses require accurate information at all times to provide adequate care for patients.
By deploying disproportionate resources to protect privacy as opposed to the other security concerns, we are ineffectively managing resources.
2. Basing Security on the Systems Rather than the Critical Information – This mistake is one that I made initially when managing my security program. I developed policies but was ineffective at educating users. I spent a lot of money on protecting my systems.