The Case for a Cybersecurity Framework

Pain clinic assessment

The HIMSS Global Conference & Exhibition doesn’t end when the convention center doors close. Attendees leave with knowledge from educational sessions, speakers and networking that can be applied to the real world, creating an ongoing, year-round experience. HIMSS asked attendees to share the personal and professional successes that stemmed from attending conference – from challenges faced to changes made. Read on to learn about the value of attending HIMSS19 from the unique perspective of our members and partners.

Challenges in Cybersecurity

It should come as no surprise that healthcare has seen a sharp rise in cyberattacks over the past few years. Criminals launch phishing campaigns to steal information and credentials, spread malware, and lock computers and data in exchange for ransom. Software tools and botnets are becoming readily available for anyone to rent and perpetrate attacks, requiring very little skill or infrastructure to cause havoc.

In addition to external threats, healthcare organizations face many other threats that can be damaging to patient safety, the business and the information they are responsible for protecting. Disgruntled employees, overly curious staff, negligent vendors and hardware failures can pose as much of a risk as a determined cybercriminal.

Protecting assets against these different threats becomes a tall order for any organization. They must not only implement safeguards and controls to reduce risks and mitigate the impact of a breach, but also prepare in advance to respond and recover efficiently when a breach does occur.

Listen to Bayardo Alvarez, director of information technology at Boston PainCare Center, and Sean Murphy, vice president and CISO at Premera Blue Cross, talk with the Code Red podcast about protecting your patients and organization with a cybersecurity framework.

Growing Pains

So, what can healthcare organizations do to enhance their cybersecurity posture? Where can they find reliable, proven and universal guidance to secure their data and IT systems? How do they address security in new and emerging technologies? These were some of the questions we asked ourselves at Boston PainCare Center. As a young pain management practice, we developed internally and over time a set of policies, procedures and controls that kept our data and network safe. Nevertheless, as we grew and matured, as we incorporated new technologies and complex systems into our network, and as our providers required new and better ways to access information and deliver care, we found ourselves more often searching for answers to these questions.

Enter the Framework

We knew that cybersecurity frameworks were instruments used to guide information security programs in large organizations. They offer processes, standards and methodologies to improve cyber defenses, and are often the product of a consensus-driven collaborative effort by large communities of experts in a variety of fields and industries.

At a first glance, these frameworks appeared intimidating. A vast collection of processes, diagrams and documents, which were so broad and comprehensive that we could hardly imagine implementing them in a small practice like ours.

However, as we looked closer and learned more about the different alternatives, we found that some frameworks possessed characteristics and offered certain benefits that would make them a good fit for our organization. As we dove deeper into our research, we realized that adopting a cybersecurity framework was feasible, and not a far-fetched idea as we initially thought.

Building the Case

The initiative to adopt a cybersecurity framework would have to be planned as a multi-year program, broken into various phases so that we could learn and adapt as we moved along from one phase to the next. We also wanted to gauge our progress in small periods of time, using the results of the previous phase to encourage and motivate our team into the next one.

The framework we were to select would have to be modular and flexible, allowing us to choose which parts and in which order to implement them. It would have to be easy to understand, since people from different backgrounds would be assisting and participating in the process. The framework would have to be easily scalable, which in our case meant scaling down to an organization of our size.

We already had a number of effective policies and safeguards in place, so our ideal framework should allow us to incorporate these into our program. Finally, we wanted a framework with the lowest cost of entry and with documentation and supporting material freely available, avoiding the process of procuring a budget and scoring an easier buy-in with management.

The Value of HIMSS and HIMSS Conferences

HIMSS has been an invaluable resource for my job, and key in helping expand my knowledge and professional network in healthcare. A member since 2014, I have had the opportunity to attend the last two HIMSS global conferences. It was through a number of cybersecurity themed sessions in HIMSS17 Orlando where I started to learn more in depth about the potential and feasibility of cybersecurity frameworks for our organization. HIMSS18 Las Vegas was instrumental in reaffirming my vision on this initiative and helping make the decision as to which framework to adopt.

As of This Writing …

After a careful, thoughtful and well-informed analysis of our options, we selected a framework that best met our requirements and offered the benefits we were looking for. We are today in the very first phase of adoption and pleased with the wealth of information and supporting documentation we have found through different organizations that support and endorse our framework. We are encouraged with the progress we are making, and are excited and looking forward to the upcoming phases.

The views and opinions expressed in this blog or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.


February 11-15, 2019 | Orlando, Florida
Join forces with 45,000+ champions of health from 90+ countries at HIMSS19. Collaborate with other health information and technology superheroes, explore the latest disruptive innovations, and discover the resources and solutions that are right for your organization. Learn more | Register

HIMSS18 Success Stories
From Devastation to Determination, One Advocate’s Mission to End Physician Burnout
It's All About the Patient
Preparing Students for Industry Needs: How University Integrated HIMSS Resources Into the Curriculum
Reimagining the Role and Function of Clinical Communications in Care Delivery
I’m in a PDMP State of Mind
One Attendee, Many Perspectives