Raising Cyber Security Awareness for Healthcare Professionals

AuthorRobert J. Michalsky, Principal, Cyber Security

Release Date: November 12, 2013

Summary: Cyber security isn't on the syllabus of any medical school, but cyber security awareness is just as vital to healthcare organizations as washing hands. At best, lack of cyber security awareness can result in malware, which slows operations and increases maintenance costs. At worst, it could lead to data breaches, multi-million dollar fines and loss of trust with patients.
So how do you create effective  awareness in a healthcare organization, helping ensure safety while not impeding the work of healthcare providers, where time and simplicity is at a premium? NJVC Cyber Security Principal Robert J. Michalsky provides a framework for creating good cyber security hygiene and integrating cyber security awareness into daily actions.


Protecting Digital Health Information: A Three-Part Series

NJVC's healthcare IT experts discuss the importance of cyber security for healthcare, why the true scope of cyber security requirements may be broader than commonly thought and the basic steps every healthcare organization should take to protect its data in an increasingly digital landscape.  

Part I: Where to Start?

Author: Terri Schoenrock, Director of Healthcare Solutions

Release Date: June 10, 2013

SummaryHealthcare provider organizations are evolving patient health data access and management, making personally identifiable information more digital, mobile and available. With this move comes a quantum increase in the exposure of individually identifiable information within the enterprise and across the extended value chain. The balancing act is to address the need to be agile and responsive to stakeholders, and therefore more competitive, while managing the risk of compromised security with consistently dwindling budgets.  

Lessons Learned
Breaches of individually identifiable patient health information result in financial loss, criminal fines, and loss of reputation.  
The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580 (Ponemon Institute, 2012).
Most breaches can be prevented before they happen, with a small investment in the future. Equal in impact is the loss of trust by the stakeholder community after a breach. Independent physicians and most patients have a choice in their healthcare, and in where that care is provided.  
It is critical to find a partner to help to diagnose your current situation and help create the safety net that will limit the risk to the health enterprise and its stakeholders, including cloud and other service providers.  

Part II: What Is at Stake?

AuthorRobert J. Michalsky, Principal, Cyber Security

Release Date: July 8, 2013

Summary: In medicine, reducing risky behavior reduces health risks. So too does reducing risky cyber behavior reduce likelihood of attack or breach.
How do you make smart, cost-effective, and prioritized decisions that protect the security and privacy of your patients? Before you can make a prognosis, you need to assess the situation by running diagnostic tests. In the case of privacy and security, you need to determine your critical cyber security vulnerabilities and mitigate against those attack vectors.  Consider the entire enterprise as having a potential attack surface. Risk management is about quantifying that risk and minimizing the potential for harm.  


Part III: What to Do?

AuthorRobert J. Michalsky, Principal, Cyber Security

Release Date: August 8, 2013

Summary: Protecting electronic medical records is one of the fundamental objectives of every healthcare organization. As mandated by the HIPAA Privacy and Security rules, appropriate safeguards must be in place to effectively enforce controls on the use and disclosure of all electronic Personal Health Information.
How can this end goal best be achieved? With a comprehensive third party IT security assessment that accepts the structure and organization in placeand does not seek to alter an organization, but instead look for enhancements to better protect the valuable electronic assets a healthcare organization produces and utilizespatient health data.