Topics
Reimbursement
Proposed inpatient payment rates 'woefully inadequate' AHA says
Proposed inpatient payment rates 'woefully inadequate' AHA says
Revenue Cycle Management
Enhancing preventive care with accessibility and technology
Enhancing preventive care with accessibility and technology
Strategic Planning
Intermountain Health spinoff Culmination Bio announces partnership 
Intermountain spinoff Culmination Bio announces partnership 
Capital Finance
Tech investment must bring value to care delivery
Tech investment must bring value to care delivery
Supply Chain
HIMSSCast: Embrace technology to replace the mundane tasks
HIMSSCast: Embrace technology to replace the mundane tasks
Accounting & Financial Management
Humana's 2025 earnings, pricing decisions and membership may take hit from MA rate notice
Humana's 2025 earnings, pricing decisions may take hit from MA rate notice
Budgeting
Insurers likely to pay $1.1 billion in rebates this fall
Insurers likely to pay $1.1 billion in rebates this fall
Quality and Safety
J.D. Power: Digital health insurance channels lack engagement
Study: Digital health insurance channels lacking
Billing and Collections
No Surprises Act implementation coincided with in-network claims growth
NSA implementation coincided with in-network claims growth
Claims Processing
UnitedHealth's 'band-aid' payment for Change disruption falls short, hospitals say
UnitedHealth's 'band-aid' payment falls short, hospitals say
Workforce
HIMSSCast: The need for home care continues
HIMSSCast: The need for home care continues
Operations
HHS seeks input from payers on Change cyberattack response
HHS seeks input from payers on Change cyberattack response
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
Henry Ford, Michigan State research center to be built for $335 million
Henry Ford, MSU research center to be built for $335M
Compliance & Legal
MGMA wants Change to take responsibility for HIPAA breach notifications
MGMA wants Change to take responsibility for HIPAA breach notifications
Policy and Legislation
HIMSSCast: Revolutionizing the Medicare program 
HIMSSCast: Revolutionizing Medicare 
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
Moving beyond financial incentives to engage specialists in ACOs
Moving beyond financial incentives to engage specialists in ACOs
Acute Care
Acute Hospital Care at Home data released 
Acute Hospital Care at Home data released 
Ambulatory Care
U.S. trails other countries in primary care access
U.S. trails other countries in primary care access
Analytics
Children's Hospital Colorado creates analytics resource center
Children's Hospital Colorado creates analytics resource center
Business Intelligence
Racial disparities put further strain on primary care
Racial disparities further strain primary care
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
CMS overhauls meaningful use EHR program, renames it 'Promoting Interoperability'
CMS overhauls meaningful use as 'Promoting Interoperability'
Medicare & Medicaid
CMS releases rules on wait times and payment standards in Medicaid
CMS releases rules on wait times and payment standards in Medicaid
Patient Engagement
Commonwealth Fund creates employer-based health insurance task force
Commonwealth Fund creates health insurance task force
Pharmacy
Walgreens expands specialty pharmacy and investment in gene therapy
Walgreens expands specialty pharmacy and investment in gene therapy
Population Health
CDC warns clinicians to look out for bird flu cases
CDC warns clinicians to look out for bird flu cases
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth equity key to addressing digital gaps
Telehealth equity key to addressing digital gaps
Mergers & Acquisitions
Novant Health and CHS counter FTC bid to block hospital deal
Novant Health and CHS counter FTC bid to block hospital deal
View more
Oct 22, 2018 More on Strategic Planning

Can't afford a security chief? Here are the alternatives

Hospitals and medical groups with limited security resources still have leadership options in managed care providers and virtual CISOs.

Susan Morse, Executive Editor

Particularly for smaller hospitals and medical groups, hiring a full-time chief information security officer can be a stretch of the budget and resources. But patient data must still be protected because smaller organizations face many of the same risks larger systems do.

So cybersecurity responsibility often falls to the CIO, the IT director, or, even to a certain extent, the hospital's EHR vendor, none of which are traditionally aligned with a cyber role. 

"All hospitals need to have an individual or entity that provides the position," said Norma Krayem, senior policy advisor for Holland & Knight and chair of the Global Cybersecurity and Privacy Policy and Regulation Team. "The risk is so critical, that hospitals can't afford not to have someone doing this job."

That reality is giving rise to two alternatives: tapping the expertise of a virtual CISO or outsourcing cybersecurity to a managed provider.

Baseline: Best effort

For organizations lacking cybersecurity resources, it can come down to "best effort security management," said Fernando Martinez, who has been a CISO, but for the last 25 years has primarily served as a chief information officer for large hospitals. He is the chief digital officer for the Texas Hospital Association and president and CEO of the Texas Hospital Association Foundation.

"What I've seen in smaller organizations is, you have a couple of people," Martinez said. "They may know a lot about it, but analysis and response becomes a best effort in following up a security ticket or an alert and dealing with firefighting in order of severity."

The big risk? Every vulnerability or weakness that isn't at the top of the severity list basically leaves data open to threats. 

Managed cybersecurity service contract considerations

Hospitals can bundle a scope of responsibilities into a managed contract. The company manages the network, alerts and health tickets. It can do vulnerability scans and take on the day-to-day infosec responsibilities.

Some security services providers have evolved into security operation centers serving multiple customers. Hiring a company to conduct real time network monitoring is more expensive, Martinez said. Risk tolerance dictates how much security service they buy.

To ensure data centers have controls certified, contracts need to include these agreements, attest to federal programs, perform annual risk assessments, said Chuck Christian, vice president of technology and engagement for the Indiana Health Information Exchange.

"There's a lot to keep up with," Christian said. "There are certifications, inherent overhead cost, training and education."

Martinez added that often local people have enough expertise to succeed: "You don't necessarily have to hire a big-five consulting firm."

Virtual CISO considerations

In a shared CISO situation, one security consultant can have four or five clients. A consultant may be on retainer, for example, ready when they are needed, said Lee Kim, HIMSS director of privacy and security.

Hiring a virtual CISO (vCISO) is increasingly becoming a viable alternative to bringing on a full-time executive, according to Mac McMillan, CynergisTek CEO and president.

Why? Because most organizations providing vCISO support will supply an individual who not only is experienced and has the right certifications, but is more than likely managing multiple organizations simultaneously. As such, they bring a wealth of knowledge and peer experience that organic CISOs are hard-pressed to match.

Drawbacks include that it can them take longer to get up to speed on the nuances of a particular organization and, because they are managing multiple clients, may not be immediately available to everyone in the case of an emergent issue. 

vCISOs work in every environment from a small ambulatory setting, to a large health system. They can fill many different roles from full- on CISO to CISO advisor, to mentor to an organizational staff CISO reporting to a more senior CISO. 

Conduct a risk analysis first 

A risk analysis is always the first step, no matter the option a healthcare organization pursues or, even better, prior to making a decision.

That means understanding what goes into the process, as "very few do a correct risk analysis," Martinez said. 

A risk analysis is not the same as a gap or technical analysis, as mandated by HIPAA or the Office of Civil Rights.

Hospitals tend to implement security solutions based on what they see as gaps in technical response. In fact, most are in a hurry to implement security solutions, Martinez said, and advised against letting that approach create a false sense of security. 

Instead, a true risk analysis starts with doing a complete inventory of where data is stored and where data assets are located. Then the risk should be stratified as to likelihood of an incident happening. After that, what's needed is a recurring and active, closed loop process that maintains it, Martinez said.

A comprehensive risk analysis can be done in-house, or an outside expert can be brought in.

"That's more management discipline than investment in technology," Martinez said.

David Finn, executive vice president of strategic innovation at CynergisTek, agreed that it's better to understand the problem and figure out the best way to fix it than to simply go shopping for a new IT tool. 

"I firmly believe that the biggest weakness our hospitals have is that they don't know what they don't know," Martinez said. 

Cloud gaining traction for security

While hospitals have long been concerned about putting sensitive protected health information and medical data in the cloud, more and more are beginning to understand that big cloud vendors can frequently secure data better than hospitals can. 

Yes, there are risks and business associate agreements to be ironed out, but cloud providers also hire top security talent and have massive resources to protect data. No strategic conversation about hiring a virtual CISO or outsourcing security to a third-party is complete without understanding what's happening in the cloud and what security services are coming in the near future.  

"We are seeing some very impressive tools for cloud-security and even cloud-based security for on-premise systems. As we move more to the cloud protecting data our users' identities becomes more critical," Finn said. "Look for more solutions related to data loss prevention in the cloud, Cloud Access Security Brokers, email and even anti-malware." 

"More importantly, look for these tools to communicate with each and share information that enhances security for everyone," he added.

What hospitals ultimately decide will depend on the size of the organization, budget and internal expertise -- because risk in general is something that cannot be managed to zero.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @SusanJMorse
Email the writer: susan.morse@himssmedia.com

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.