IT security models have evolved

BOSTON—The very first IT directors hired in healthcare worked in the finance, accounting or human resources. That history of CIOs reporting to CFOs makes the relationship cost-driven instead of strategy-driven, said Mansur Hasib, CISSP, PMP, CPHIMS, author and professor in the University System of Maryland, speaking at the 2015 Privacy and Security Forum.

Half of U.S. healthcare is still run by CFOs, Hasib said. “Who is driving the strategy at that point?”

In March 2013, Hasib’s doctoral study survey revealed that one-third of healthcare organizations had no CISO and one-fifth of those had no plans to hire one any time soon.

Hasib listed the top healthcare data breaches: Anthem at 78.8 million affected; Premier Blue Cross Blue Shield with 11 million affected; Community Health Systems with 4.5 million affected; Xerox State Healthcare with 2 million affected; and the Montana Health Department with 1.1 million affected.

An analysis of those breaches found a lack of cybersecurity culture including lack of leadership, lack of CEO accountability, failure to understand mission success, improper analysis of risk and CEOs viewing problems as a technology issue. In the face of a breach, most healthcare organization blame and fire CIOs and CISOs.

Hasib said the importance of the role people play in cybersecurity was realized relatively recently. Models established in the early 1990s did not include people but many organizations are still using an early model for their cybersecurity planning. Even once models factored in people, there were problems. Awareness training by itself doesn’t do anything, he said. “We need to engage people and focus training on their job role. Cybersecurity to doctor means nothing but if you focus on the safety of data in their job role, they will get it.”

Hasib said when he is teaching he uses the term data safety because clinicians can relate to patient safety.

He also said organizations must remember that cybersecurity is not a state. “You have to have continuous improvement.” To determine how best to use its resources, an organization must consider its mission because “your entire strategy has to fulfill that mission.”

The determinants of innovation and productivity, Hasib said, are knowledge, attitude, skill and habit. Attitude and habit have the highest impact. “Happy people learn more.”

Culture also is vital and has four elements: shared values, rituals, heroes and a social network guarding against deviations. “Data loss has to be zero so make it a key value.” 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.