It’s Time For Healthcare Information Security to Grow Up

Before the implementation of the HIPAA Security Rule, what passed for security in most healthcare organizations was some network monitoring and anti-virus, a smattering of policies and procedures, and the general admonishment to users not to share their passwords. Bemoaned as it was when enacted, HIPAA rightfully compelled every healthcare organization in the U.S to put a  formal collection of people, processes, and technology in place to meet the regulatory requirements. Next, HITECH and a variety of state laws came into play in an attempt to further strengthen healthcare organizations security postures.

There is no doubt that healthcare information security has come a long way on its journey to protecting the confidentiality, integrity, and accessibility of protected data.  Some healthcare organizations have implemented standard cross-industry frameworks such as NIST or ISO, or rely on healthcare-focused certifications such as HITRUST to guide their information security programs. Many organizations leverage annual risk assessments, required by regulation as well as some certification processes, to identify and tackle those items which are deemed to be most acute.  Then, just as progress is being made, a ransomware attack, external audit, or breach occurs and all resources are suddenly pulled to focus on immediate response activities. Rinse and repeat and after just a few cycles you have organizations that remain more reactive than proactive sixteen years after the Security Rule’s initial implementation.

Maturing Healthcare’s Information Security 

Healthcare organizations have invested a great deal of time, effort, and money in implementing core systems, developing and expanding service offerings, and crafting enterprise or IT strategic plans in order to meet evolving business objectives. While information security often plays a part in the organization’s overall IT strategy plan, due to the intangible nature of its benefits information security rarely has concrete, well-defined roadmaps to reach a mature, well-defined future state. Information security teams are too often resource constrained and hampered by segmented operational workflows to do more than put out fires. As such, teams struggle to stay on top of persistent threats or to have the ability to be truly flexible and agile to protect their environments. Some organizations wishing to embrace maturity modeling as a mechanism to systemically improve their security postures are not likely to find the tools to fit their needs. This is because historically available offerings tend to have one or all of these common shortcomings: 

  1. They evolved from software capability models, and while re-labeled, do not really measure against the true definition of “maturity”
  2. They do not embrace the unique culture of healthcare
  3. They do not assess Information Security at an enterprise level or across multiple dimensions
  4. They are difficult to articulate and visually depict

To be effective, Information Security teams need to fully understand more than just “high, moderate, low risk” and/or graded assessments – they also need to understand “how well we do the things we need to do”.  Knowing “how well we do the things we need to do” begins with assessing an organization’s maturity at an enterprise level. Equally important to assessing an organization’s information security maturity level is measuring against a standard framework such as NIST, ISO, or HITRUST so the “anchor” does not move over time. Once a baseline is established, leadership can better identify critical areas of improvement, determine how mature they want to be in the months and years to come, and allocate resources or funding accordingly. Our Cybersecurity Maturity Model for Healthcare (CMM4H) is a true maturity model based on industry standards, with multi-dimensional evaluation and clear visual representation of outcomes and direction. CMM4H allows healthcare organizations to assess and improve cybersecurity maturity across the enterprise, evolve from reactive to proactive work efforts, align to current federal regulatory requirements as well as the industry developed controls, and develop the agility to proactively prepare for new/upcoming regulations. 

Final Thoughts

Implementing a healthcare-focused and holistic cybersecurity maturity model is key to evolving from reactive to proactive work efforts and will provide a mechanism to continuously improve an organization’s information security posture. The Healthlink Advisors CMM4H offering enables healthcare organizations to build flexibility, agility, and efficiencies into their strategic plans and roadmaps.