Security: 'What Are We Missing?'

Experts Identify Most Overlooked Security Steps
Security: 'What Are We Missing?'

Healthcare organizations need to make sure they don't overlook free resources they can use when conducting a risk assessment. They also need to avoid overlooking a number of important security measures, according to speakers at a Feb. 20 workshop at the Healthcare Information and Management Systems Society Conference in Las Vegas.

See Also: A New Approach to Endpoint Security Software Testing

HIMSS recently produced a free risk assessment toolkit, says Lisa Gallagher, senior director of privacy and security at HIMSS.

Also, the National Institute of Standards and Technology offers Special Publication 800-30, Risk Management Guide for Technology Systems, which provides useful insights, says Tom Walsh, president of Tom Walsh Consulting. NIST also has a draft of an updated version, NIST 800 30 Rev 1, Guide for Conducting Risk Assessments.

Other Security Tips

At the workshop, other advice offered on security measures that are often overlooked includes:

  • Organizations must go beyond a risk assessment and complete a business impact analysis, says Terrell Herzig, data security officer at UAB Health System. "Risk assessments assess the likelihood of a given threat and not its direct impact on business operations," he says. "Without a business impact analysis, an organization runs the risk of underestimating the resources required to respond to an event," such as a natural disaster, he adds.
  • Risk management must include a mobile security policy. "Too many organizations are deploying mobile devices before they have policies in place for dealing with them," Gallagher says. If more organizations had policies in place limiting data stored on the devices and requiring encryption, the number of breaches "would come down significantly," she says.
  • System administrator passwords should be changed just as often as user passwords, Walsh stresses. Too often administrator passwords are changed only when someone leaves, he adds.
  • Organizations must have a procedure in place to make it easy for staff members to contact security staff to request that unused hard drives, CDs and other storage media be promptly destroyed, Herzig says.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.