Cybersecurity and Privacy

The Case for a Cybersecurity Framework

Patient information is kept safe thanks to a cybersecurity framework

The HIMSS Global Health Conference doesn’t end when the convention center doors close. Attendees leave with knowledge from educational sessions, speakers and networking that can be applied to the real world, creating an ongoing, year-round experience. HIMSS asked attendees to share the personal and professional successes that stemmed from attending conferencefrom challenges faced to changes made. Read on to learn about the value of attending HIMSS Global Health Conference from the unique perspective of our members and partners.

The Need for a Cybersecurity Framework

It should come as no surprise that healthcare has seen a sharp rise in cyberattacks over the past few years. Criminals launch phishing campaigns to steal information and credentials, spread malware, and lock computers and data in exchange for ransom. Software tools and botnets are becoming readily available for anyone to rent and perpetrate attacks, requiring very little skill or infrastructure to cause havoc.

In addition to external threats, healthcare organizations face many other threats that can be damaging to patient safety, the business and the information they are responsible for protecting. Disgruntled employees, overly curious staff, negligent vendors and hardware failures can pose as much of a risk as a determined cybercriminal.

Protecting assets against these different threats becomes a tall order for any organization. They must not only implement safeguards and controls to reduce risks and mitigate the impact of a breach, but also prepare in advance to respond and recover efficiently when a breach does occur.

Listen to Alvarez and Sean Murphy, vice president and chief information security officer at Premera Blue Cross, talk with the Code Red podcast about protecting your patients and organization with a framework.

Growing Pains

So, what can healthcare organizations do to enhance their cybersecurity posture? Where can they find reliable, proven and universal guidance to secure their data and IT systems? How do they address security in new and emerging technologies? These were some of the questions we asked ourselves within my organization. As a young pain management practice, we developed internally and over time, a set of policies, procedures and controls that kept our data and network safe. Nevertheless, as we grew and matured, as we incorporated new technologies and complex systems into our network, and as our providers required new and better ways to access information and deliver care, we found ourselves more often searching for answers to these questions.

Enter the Cybersecurity Framework

We knew that these frameworks were instruments used to guide information security programs in large organizations. They offer processes, standards and methodologies to improve cyber defenses, and are often the product of a consensus-driven collaborative effort by large communities of experts in a variety of fields and industries.

At a first glance, these frameworks appeared intimidating. A vast collection of processes, diagrams and documents, which were so broad and comprehensive that we could hardly imagine implementing them in a small practice like ours.

However, as we looked closer and learned more about the different alternatives, we found that some frameworks possessed characteristics and offered certain benefits that would make them a good fit for our organization. As we dove deeper into our research, we realized that adopting a cybersecurity framework was feasible, and not a far-fetched idea as we initially thought.

Building the Case

The initiative to adopt a framework would have to be planned as a multi-year program, broken into various phases so that we could learn and adapt as we moved along from one phase to the next. We also wanted to gauge our progress in small periods of time, using the results of the previous phase to encourage and motivate our team into the next one.

RELATED: Practical Guidance for Adopting a Cybersecurity Framework

The framework we were to select would have to be modular and flexible, allowing us to choose which parts and in which order to implement them. It would have to be easy to understand, since people from different backgrounds would be assisting and participating in the process. The framework would have to be easily scalable, which in our case meant scaling down to an organization of our size.

We already had a number of effective policies and safeguards in place, so our ideal framework should allow us to incorporate these into our program. Finally, we wanted a framework with the lowest cost of entry and with documentation and supporting material freely available, avoiding the process of procuring a budget and scoring an easier buy-in with management.

As of This Writing…

After a careful, thoughtful and well-informed analysis of our options, we selected a framework that best met our requirements and offered the benefits we were looking for. We are today in the very first phase of adoption and pleased with the wealth of information and supporting documentation we have found through different organizations that support and endorse our framework. We are encouraged with the progress we are making, and are excited and looking forward to the upcoming phases.

The views and opinions expressed in this blog or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.

Healthcare Cybersecurity Community

Learn from experts and peers in the healthcare sector, exchange ideas and make a proactive step to improve your organization’s security posture by joining our Healthcare Cybersecurity Community.

Get Involved

Originally published September 18, 2018; updated August 1, 2019