IT security models have evolved

BOSTON—The very first IT directors hired in healthcare worked in the finance, accounting or human resources. That history of CIOs reporting to CFOs makes the relationship cost-driven instead of strategy-driven, said Mansur Hasib, CISSP, PMP, CPHIMS, author and professor in the University System of Maryland, speaking at the 2015 Privacy and Security Forum.

Half of U.S. healthcare is still run by CFOs, Hasib said. “Who is driving the strategy at that point?”

In March 2013, Hasib’s doctoral study survey revealed that one-third of healthcare organizations had no CISO and one-fifth of those had no plans to hire one any time soon.

Hasib listed the top healthcare data breaches: Anthem at 78.8 million affected; Premier Blue Cross Blue Shield with 11 million affected; Community Health Systems with 4.5 million affected; Xerox State Healthcare with 2 million affected; and the Montana Health Department with 1.1 million affected.

An analysis of those breaches found a lack of cybersecurity culture including lack of leadership, lack of CEO accountability, failure to understand mission success, improper analysis of risk and CEOs viewing problems as a technology issue. In the face of a breach, most healthcare organization blame and fire CIOs and CISOs.

Hasib said the importance of the role people play in cybersecurity was realized relatively recently. Models established in the early 1990s did not include people but many organizations are still using an early model for their cybersecurity planning. Even once models factored in people, there were problems. Awareness training by itself doesn’t do anything, he said. “We need to engage people and focus training on their job role. Cybersecurity to doctor means nothing but if you focus on the safety of data in their job role, they will get it.”

Hasib said when he is teaching he uses the term data safety because clinicians can relate to patient safety.

He also said organizations must remember that cybersecurity is not a state. “You have to have continuous improvement.” To determine how best to use its resources, an organization must consider its mission because “your entire strategy has to fulfill that mission.”

The determinants of innovation and productivity, Hasib said, are knowledge, attitude, skill and habit. Attitude and habit have the highest impact. “Happy people learn more.”

Culture also is vital and has four elements: shared values, rituals, heroes and a social network guarding against deviations. “Data loss has to be zero so make it a key value.” 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”