best practices that go above and beyond protecting the privacy of confi- dential patient data. Protection of protected health information, per HIPAA mandates, remains important, but instating rules and policies that ensure organizations invest in tools and best practices that maintain the continuity of care-critical tools and applications is long overdue.
The impact WannaCry had on 16 U.K. hospitals is a wake-up call and highlights the ubiquity of cyber threats and their impact on deliv- ering care. These threats are real and constantly evolving. Lives depend on organizations taking a deeper look at how they can ensure care continuity with comprehensive security policies and procedures.
We can look to the financial services industry as an example of a field that has strict data privacy requirements in place, especially the requirement of a response plan. The Federal Deposit Insurance Corpo- ration, for example, requires secure logins with government-issued IDs to access its computers, as well as a third-party end-to-end assess- ment of security and privacy protocols.
Cyber threats are constantly evolving and becoming more sophisti- cated, so having an institutionalized response plan is critical in the event that a breach that they are not proactively prepared for takes systems down.
SCRUTINIZE DEVICE SECURITY AT THE FDA LEVEL.
To deter cyberterrorism, the U.S. Food and Drug Administration needs to hire highly skilled security personnel and instate strict rules and regu- lations on devices to ensure that security protocols are in place.
Just as the FDA requires drug trials before approving prescription and over-the-counter medications for use, it should also take measures to confirm that devices released to the market are secure and that man- ufacturers have invested in certain best practices and upgrades. This type of policy is needed to prevent breaches such as the Johnson & Johnson insulin monitor hack from occurring in the future and ensure the continued safety of patients relying on care-critical devices and connected applications.
Fortunately, legislators at the federal level have taken note and are now taking action. In July, a bipartisan group of senators announced plans to introduce a bill that would help shore up defenses against vul-
Ad Index
nerabilities posed by IoT devices. This legislation would require ven- dors to ensure that all connected equipment they provide to the govern- ment conforms to new security standards with patchable products.
The bill includes new policies that aim to address the market’s fail- ure to incentivize manufacturers to focus on stronger security features in new product designs. It will provide ongoing recommendations to improve the security of federal networks.
INCENTIVIZE COMPLIANCE.
Compliance requirements and financial incentives are necessary for healthcare systems to adopt and implement adequate security parame- ters. Otherwise, budget-constrained healthcare providers will often choose to invest in a revenue-generating, care-providing system, like an MRI machine, rather than a seemingly preparatory IT security initiative.
Incentives can combat this behavior by appealing to the natural human (and business) urge to prioritize investments offering tangible returns. Facilities that have never experienced the effects of a breach will find it even more difficult to invest in security without proper incentives.
Currently, there is too much focus on the compliance side of the house. Healthcare organizations need to consider care continuity for digital tools as well as the need for IT security systems to disclose cer- tain breach types—not just whether data has been compromised, but whether systems have been.
With the rise in threats and the increased exposure healthcare facil- ities face, these types of investments need to be mandated and enforced. If they’re not, healthcare organizations and hospital systems that are reluctant to allocate budget toward bolstering and upgrading their defenses will find themselves in the same
predicament in which the WannaCry attack
placed the NHS earlier this year.
Karin Ratchinsky is the director of healthcare strategy at Level 3 Communications. She is an author, speaker and contributor to the health IT community.
Advertiser........................................... Circle # ...........Page ......... URL
Napco Security...................................................................708..............................CS2 ....................www.napcosecurity.com
Garrett Metal Detectors. .....................................................706..............................CS3 ....................www.garrett.com
Salient Systems. ................................................................710..............................CS5 ....................www.salientsys.com
Security Today Academy. ....................................................717..............................CS6 ....................www.securitytodayacademy.com Avigilon Corp......................................................................704..............................CS7 ....................www.avigilon.com
Designed Security Inc.........................................................705..............................CS9 ....................www.dsigo.com Talkaphone. .......................................................................701..............................CS11 ..................www.talkaphone.com
NVT Phybridge....................................................................709..............................CS13 ..................www.nvtphybridge.com ASSA ABLOY. ......................................................................707..............................CS15 ..................www.assaabloy.com
Open Options. ....................................................................714..............................CS17 ..................www.ooaccess.com Minuteman UPS..................................................................712..............................CS19 ..................www.minutemanups.com ASSA ABLOY/Adams Rite. ...................................................713..............................CS21 ..................www.adamsrite.com
ASSA ABLOY/HES. ..............................................................718..............................CS23 ..................www.hesinnovations.com Security Today....................................................................715..............................CS24 ..................www.securitytoday.com IDP Americas Inc.. ..............................................................703..............................CS25 ..................www.idp-corp.com
ASSA ABLOY/Securitron......................................................719..............................CS29 ..................www.securitron.com
ASSA ABLOY/Alarm Controls. ..............................................720..............................CS31 ..................www.alarmcontrols.com Viking Electronics...............................................................711..............................CS35 ..................www.vikingelectronics.com DSX Access Systems..........................................................702..............................CS36 ..................www.dsxinc.com
CS34 WWW.CAMPUSLIFESECURITY.COM | NOVEMBER 2017 A SPECIAL SECTION TO SECURITY TODAY AND THE JOURNAL
CAMPUS SECURITY & LIFE SAFETY