Theft of devices having patient data remains a major security threat in healthcare

How do you think introduction of automation processes are changing the security scenario of health care industry?

Healthcare industry is going through a major transformational phase with more and more automation being introduced for better patient satisfaction, operational efficiency and clinical excellence.  With growing technology deployment and automation, there are major challenges in terms of increased information security risks which can pose a serious threat to the business if left unattended. Physical theft and loss of laptops and other devices containing patient information is by far the most significant security threat to the healthcare industry.

What are the top three reasons of security breaches in the healthcare industry?

The top three cause will be theft or loss of data, information misuse by employees and unintentional action by an individual.

Theft or loss of data is a major risk, especially with the use of mobile devices having access to patient information. Today, more and more healthcare providers are deploying mobile technologies like iPad, Android tablets, smartphones and others, this is a major cause of data theft or loss.  Technologies like encryption can be used to mitigate the risks in addition to MDM, locking down of certain devices and so on.

Then comes information misuse by employees. Protecting information from outside attacks is easier compared to misuse of information by internal employees. There had been multiple research on such security breaches and it was observed that insider misuse or malicious use of organizational resources was the second most important cause of security incidents in the healthcare industry.

Another challenge is unintentional actions leading to compromised information. This is the third important cause of security concerns in the healthcare industry.  This type of data breach occurs in many ways like hospitals giving wrong patient information, patient information being available to public due to an inadequate control on the hospital’s website, change of patient information due to software issues (software bugs for instance), writing off and decommissioning computer systems without a properly defined process to remove data before decommissioning.

When it comes to security, how significant is the role of a CIO or CISO as an ombudsman between IT and business?

Security is no more an IT problem but it is a business challenge.  To be more specific, every business needs to protect its information assets with right technologies. It is the responsibility of the CIO or a CISO to educate the business on the risks associated in the absence of an effective Information security framework and the right skills to manage the same on an ongoing basis. 

Security solutions that are needed to be deployed must get discussed in the context of privacy laws, customer expectations, IT Act, regulatory compliances for the given business. CIOs or CISOs should avoid talking technical jargon as it will certainly make things difficult for business to understand and appreciate the associated investments on IT Security.

Today, every business is very sensitive to their information and there is a readiness to invest in adequate security solutions provided the CIO or the CISO present the investment in right perspective keeping in mind the nature of the business.  

What do you think works better for the health care industry, a best of breed security solution or an end-to-end solution?

To the extent possible it should be end-to-end solution since it becomes easy to manage an integrated solution though a single vendor. However, best of the breed solutions are preferred for core components in case there is no end-to-end solution available from the reputed solution providers. In either case, selection of the solution must be done very scientifically and through a well-defined process of evaluation, PoC and others.

As security issues gradually start demanding full time attention, do you think that it is time to hand over security completely to a CSO?

I fully agree that the security needs a serious attention and it’s not a onetime initiative.  It’s an ongoing process to continuously assess security situations and keep taking corrective and preventive measures so as to remain up-to-date. Therefore, it’s quite obvious that the security domain should be handled by a full time CSO (more particularly for mid and large organizations) since CSO has now become a very strategic role in an organization and he or she is an important part of an organization’s security strategy.