How Relationships Can Bolster SecurityCISOs, Others Discuss Why Partnerships Matter in Safeguarding Patient Data
Building better relationships between organizations' privacy and security teams and the workforce, as well as between covered entities and their business associates, is essential to improving patient data security. That was a key theme that emerged from sessions at last week's Healthcare Information Security Summit in San Francisco.
Jennings Aske, CISO at New York Presbyterian Hospital, told attendees during his end-of-day keynote that the CISO's job "is about being a facilitator. It's about people, relationships and dynamics. Explaining things with clarity. Security isn't an IT issue ... It's about relationships."
"Security isn't an IT issue ... It's about relationships."
For instance, rather than just telling clinicians "no," they can't do this or that - such as download software while on a research trip to China - it's important to explain why or offer an alternative, Aske says.
"No, but..." is better, he says. Security and privacy leaders are likely to still face pushback from end users. But it's important for clinicians and others to understand that such security measures are not only aimed at keeping patient data private, but also help protect the integrity of the information, ultimately helping keeping patients safe.
Relationship-building is also vital when it comes to the partnerships between covered entities and business associates. When manufacturer Cummins Engine set out to hire a vendor to provide a wellness program for its employees, the partnership between Cummins, the wellness vendor, and its subcontractors took a great deal effort - including everyone understanding their role in reducing, mitigating and managing data security and privacy risks, and ensuring HIPAA compliance. "It's about collaboration, relationship building," said Joseph Johnson, CISO of Premise Health, which provides onsite healthcare services to Cummins. His comments came during a panel I moderated about vendor management.
The time spent communicating about risk mitigation and other matters ultimately helped streamline processes, enabling the delivery of a sound wellness program to Cummins under a quick timeline, he told attendees.
Beyond building relationships and collaborating on security, healthcare organizations need to make sure they're taking advantage of all the appropriate technologies to enhance security, summit speakers pointed out.
For instance, too few healthcare organizations are requiring the use of two-factor authentication to access patient records, Aske says. In addition, mobile device management solutions that can help track how devices are being used can help enhance security, he said. "Priorities need to move beyond encryption."
And while hacker attacks are getting a lot of attention these days, reducing the threats associated with insiders - especially privileged users - also deserves attention, Aske says. "We don't audit our IT staffs. And they're a bigger risk than clinicians ... who look at one [patient] record at a time."
But because cyber-attacks will continue to be a growing problem, Dan Berger, CEO of the security consulting firm Redspin, stressed that security professionals need to ensure that senior executives and board members alike understand the risks and costs involved.
It's important for those who hold the purse strings to have a realistic view of what's really at stake when a mega breach occurs, including a tarnished reputation, he says.
If you missed attending our summit, keep your eye on our website and enewsletter, which will provide opportunities to access presentations from our event.