[BreachExchange] Follow the data to improve security preparedness, hospital CISO says

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 14 19:21:01 EDT 2016


http://www.fiercehealthit.com/story/follow-data-improve-security-preparedness-hospital-ciso-says/2016-03-14

Healthcare organizations must shift their thinking about security to
improve their preparedness, according to Joey Johnson, chief information
security officer at Premise Health in Brentwood, Tennessee.

Johnson, in an interview with HealthcareInfoSecurity, says that one of the
biggest problems with healthcare data is that there are so many copies of
it sent to pharmacies, insurers and other places.

"When one patient comes in ... by the end of the ecosystem, your data has
been copied lots of times," he says. "HIPAA has governance of that, but
even HIPAA peters out after a point. ... That means there's no single data
set to control."

What's more, he says, with wearables entering the picture, there are
increasing questions about where data lives, who's responsible for it and
how to prioritize conflicting privacy issues.

Rather than focusing on compliance, Johnson urges organizations to focus on
the location of healthcare data, how it moves and who has access to it.
They should operate under the premise that they will have compromised
assets.

Most organizations, he says, can't answer the question, "How would you know
if you're leaking data?"

"If you read the headlines, they invariably say, '18 months ago or 24
months ago, this breach happened,' and we're just now finding out about
it," Johnson says. "They're so focused on tools like antivirus software or
data-loss-prevention tools, but they're actually missing it when the data
is being absconded."

Healthcare organizations are subject to about one cyberattack per month,
according to the Ponemon Institute, with attacks increasing in frequency
and sophistication.

Meanwhile, lawmakers recently lambasted the Department of Human Services
for "sluggish" response to developers' need for more technical guidance on
HIPAA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160314/fb3ee029/attachment-0001.html>


More information about the BreachExchange mailing list