Editors note: The following blog was authored by Navneeta Rathor, Dr. Mansur Hasib Has reviewed and approved the content. Navneeta is currently pursuing a Master’s degree in Cybersecurity at UMBC. During her study of cybersecurity leadership and risk management under the guidance of Dr. Hasib, Navneeta analyzed several major organizations and their breaches and wrote recommendations. She has extensive experience working in healthcare and was a practicing physician in India.
This blog complements the February 27, 2018 webinar, “The Need for Dynamic Compliance in Healthcare”, featuring 2017 Cybersecurity People’s Choice Award and 2017 Information Governance Expert of the Year Award winner, Dr. Mansur Hasib.
Healthcare organizations will continue to be at high risk for cyberattacks and intrusions due to a higher financial payout for medical records in the black market. Earlier this year, the Health Care Industry Cybersecurity Task Force pointed out that, despite the increase in both the number and severity of cybersecurity threats, healthcare organizations were generally under-prepared to meet the information governance challenges. Many healthcare organizations are not adequately prepared to combat even basic types of cyber-threats, let alone more sophisticated attacks that are cropping up. So, what needs to change?
Cultural & Technical Misalignment: Why Healthcare Security Practices Lag
Healthcare security has been hampered by constrained spending, pervasive use of legacy devices that were not designed to resist or recognize modern cyber-attacks, a lack of understanding of the cybersecurity risks, as well as limited education and awareness training for healthcare workers.
At too many healthcare organizations, fundamental security controls are absent or immature. For instance, lack of adequate privileged access controls played a key role in the Anthem breach of 80 million records. Enforcing least privilege access is a cornerstone security concept. Healthcare organizations should implement privilege management controls to restrict user access to only necessary and approved functions.
Understandably, most healthcare providers spend a majority of their financial and personnel resources to deliver as superior care as possible to as many patients as possible. Often times, this spending crowds out potential investments that could occur to improve risk management in ways that would support their mission, and ultimately, provide better patient care and data protection. Consequently, the impact of cybersecurity threats on the healthcare sector continues to be severe.
Balancing Openness & Collaboration with Best-Practice Security
To respond to critical care issues quickly while maintaining a seamless workflow, healthcare personnel may leave workstations unlocked and unattended. While leaving workstations unlocked improves the speed with which a provider can access the patient’s information and identify potentially lifesaving allergies or drug interactions, these practices could lead to the loss, unauthorized access, or alteration of patient data.
Therefore, such cultures are at odds with the issues of security and privacy. Speed and expediency in access to information quickly to provide patient care must be balanced with the safety and security of patient protected health information (PHI) and the systems supporting patient care. Electronic health records (EHRs) make it entirely too easy to access and pilfer this sensitive data.
Treating Cybersecurity as a Key Pillar for Better Healthcare Delivery
The idea that appropriate cybersecurity practices are a central component of a digital strategy that is critical to the organizational mission has yet to be fully embraced across healthcare. Members of the healthcare industry report that absent experiencing a security incident, such as a data breach, organizations struggle to grasp the basics of cybersecurity protections, let alone advancing a proactive and continuous risk mitigation strategy that will actually save money and shield against reputational damage in the long-term. Such a transformation in organizational culture will require increased backing from executive leadership, as well as changes in the way providers perform their duties in clinical environments.
When we examine the major breaches in healthcare, such as MedStar and Anthem, we find governance failures and lack of CEO and CIO engagement with regards to data protection and security. Subsequently, we see that the organizations also lacked a culture of proper cybersecurity hygiene throughout all layers. Dr. Craig DeAtley the director of emergency preparedness at MedStar said that one should be prepared for such kinds of attacks and that they knew it was coming. Yet, MedStar proved ill-prepared. MedStar practiced an open and collaborative culture because the organization felt such a culture supported its primary mission, but, as a consequence, proper security controls suffered.
An effective, and necessary, strategy to boost cybersecurity posture at healthcare organizations is for CEOs (and others in executive leadership) to understand and own that cybersecurity risks are business risks. Ultimately, the path to better healthcare cybersecurity is neither mysterious nor overly complicated—it requires an embrace of cybersecurity and information governance as an enabler to embed best practices throughout the organization.
Need to evolve your cybersecurity practices to improve security and compliance, while supporting better healthcare delivery and innovation? Tune in to this webinar, featuring 2017 Cybersecurity People’s Choice Award and 2017 Information Governance Expert of the Year Award winner, Dr. Mansur Hasib. Also get key insights into what complying with healthcare regulations will mean to your privileged access management, insider threat monitoring, and vulnerability management programs.
This blog complements the February 27, 2018 webinar, “The Need for Dynamic Compliance in Healthcare”, featuring 2017 Cybersecurity People’s Choice Award and 2017 Information Governance Expert of the Year Award winner, Dr. Mansur Hasib.
Dr. Mansur Hasib,
Dr. Mansur Hasib aka #DrCybersecurity has established a global personal brand as a cybersecurity leader, business executive, professor, author, and public speaker with more than 30 years of experience in Healthcare, Biotechnology, Education, and Energy.
He served as Chief Information Officer for 12 years for the Baltimore City Health Department and within the University System of Maryland.
Between 2016 and 2019, his academic leadership and branding strategy at a major public university, tripled the size of the academic program from 1,500 students to 4,800 students globally and went from $30 million annual revenue to $117 million annual revenue. His program won back to back awards as the Best Cybersecurity Higher Education Program in the USA in 2018 and 2019 from SC Awards. His students won back to back Rising Star of the Year Award from (ISC)2 in 2019 and 2020.
Dr. Hasib explained cybersecurity leadership in his widely acclaimed book Cybersecurity Leadership, which is listed among the best cybersecurity books of all time by Book Authority. Dr. Hasib believes that every person has unique gifts to share with the world. Thus his academic programs focus on the individual and includes business strategy and risk, writing, speaking, and personal branding elements.
The key to success in any field is to find your gifts, refine them, and monetize them to create multiple streams of income. He discovered the power of his own personal brand when he won the global 2017 People’s Choice Award in Cybersecurity competing against 19 companies and 3 individuals. He repeated this feat in 2020. His personal branding methodology and the stories of several students are shared in his recent book Bring Inner Greatness Out: Personal Brand.
Dr. Hasib has been quoted, interviewed, and cited in countless media all over the world. His books have been sold in the USA, Canada, Mexico, India, Australia, United Kingdom, Japan, Kuwait, Middle East, Algeria, Brazil, Kenya, Ghana, Nigeria, New Zealand, Germany, Philippines, Singapore, France, Italy, Bangladesh, Cyprus, South Africa, Bahrain, Bahamas, Switzerland, Sweden, Hungary, Pakistan, Malaysia, Trinidad and Tobago, Spain, and various other parts of the world.
Dr. Hasib enjoys table tennis, comedy, and travel and has been to all 50 states of the USA. Follow him on Twitter @mhasib or LinkedIn: www.linkedin.com/in/mansurhasib.
To access more content, subscribe for free to his YouTube Channel with over 100 educational videos: https://www.youtube.com/channe...
To contact Dr. Hasib, visit: https://www.cybersecurityleadership.com.