Establishing a strong information security program

Data breaches—sometimes even at large organizations with security measures in place—have become increasingly common. The simple fact is that no one is immune.

Long-term care organizations have a special responsibility to protect patient and resident information. That’s why it’s vital to establish a robust information security program no matter the size of your organization.

The importance of a robust security program

The primary reason for establishing a strong information security program is that it is a basic requirement for operating in today’s healthcare industry, said Todd Friedman, chief information security officer at ResMed. “Healthcare is heavily regulated, so we already have a lot of controls in place. But because patient safety is involved, that takes it to a whole new level of importance.” Friedman also noted that companies operating internationally need to be aware of the EU’s General Data Protection Regulation and other laws that apply outside of the U.S. “I don’t think it’s ever been more important to have a solid infosec program, especially in healthcare,” he said.

Building blocks of a great program

Brian Tolkkinen, director of information security at MatrixCare, said that establishing a sound governance structure is a good first step. “A security program must have top-down sponsorship and oversight, beginning with the board of directors and senior management,” said Tolkkinen. Leadership should conduct regular risk assessments to identify risks—such as a pandemic or natural disaster- that can prevent reaching business objectives.

Additional facets of governance include establishing a compliance program and arranging independent audits to verify the effectiveness of safeguards that have been put in place.

The next step in developing an info sec program is vulnerability management: identifying areas where threat actors can expose a gap in protection, or worse, take malicious action. “They key thing is to know your environment by conducting vulnerability scans,” said Stephen Squires, director of information security at Brightree. These scans offer an idea of what ports and services may be exposed so they can be protected against attacks. Squires noted that most vulnerabilities that are exposed are three to four years old. “Cybercriminals are banking on the fact that our patching regimes are lax or non-existent, which makes it easier for them,” he said.

Risk management is another key step to identify risks that could prevent a business from reaching its objectives, said Tolkkinen. “This includes maintaining an inventory with system and data classification and continually working to identify, track, and treat those risks.” He said companies may opt to work with a third-party security firm for an annual risk assessment. Risk management may also include business continuity planning that outlines steps for recovery after a cyber attack or natural disaster.

One part of an infosec program where technology can play a key role is in monitoring, said Squires. “Again, it’s about knowing your environment. You should centrally collect logs from your different systems, but it takes technology like machine learning to look at all of those logs and find anomalies for indications of compromise.” He explained that one of the first things malicious hackers will do once they’re inside a system is to eliminate the “breadcrumbs” that show how they got in. Because of this,  “Having all of your logs centrally stored somewhere off the server helps protect the information,” he explained. Squires added that machine learning or artificial intelligence also supports quick reactions based on learnings from past incidents.

Finally, having a plan to respond to a data breach is crucial. Friedman recommends creating a high-level umbrella plan and then developing “runbooks” specific to different groups within an organization. “Within those runbooks, you should define roles and responsibilities,” he said. “When something bad happens, people just want to know what their job is and what they need to do. These plans make that as simple as possible.”

All three men emphasized that it’s important to remember that the main reason to develop an information security program is to safeguard the care of patients and residents.

For more details about establishing a robust infosec program, listen to our podcast.