[BreachExchange] Leading The Path With Information Governance
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Oct 10 18:54:09 EDT 2016
http://www.hitechanswers.net/leading-path-information-governance/
Security Issues
When hearing the words “information governance”, at first glance, you think
‘does this deal with the government’? In fact, it is a part of something
larger than we expected: healthcare information and data security. Lately
in the healthcare news, we have been hearing a significant increase
surrounding cyber security threats to healthcare industry most especially
in patient data breach or ransomware. Why is this happening? Security
breaches are what we have been dealing with since healthcare has become
digitalized. There has been a significant surge in patient data collected,
shared, and analyzed on a daily basis.
Ransomware is a type of malware that prevents or limits users from
accessing the system with encrypted files. Then forces the victims to pay
ransom via online to grant them access. Hospitals are the perfect mark for
this kind of extortion because they provide critical care and rely on
up-to-date information from patient records.
These types of attacks create fear and anxiety. And if we’re educating our
healthcare leaders to today’s best standards then we can take appropriate
actions as opposed to reaction. It is the responsibility of the executive
in charge of information security at a healthcare organization to help
C-suite executives understand and digest technical and threat assessments,
which can be quite complex. The appropriate answer is to build an
information governance program.
Information Governance
So let us understand what is information governance (IG). Defined by AHIMA
(American Health Information Management), information governance is the set
of multi-disciplinary structures, policies, procedures, processes and
controls implemented to manage information at an enterprise level,
supporting a healthcare organization’s immediate and future regulatory,
legal, risk, environmental, and operational requirements.
IG is an ongoing learning curve with current industry standards and
regulatory changes that require trustworthy information. Information
governance initiative completely transforms the healthcare organization’s
thinking about the value of information and how powerful it can be.
The IG goals are to establish a solid framework for the information, which
are required to manage the processes for storage, retention, and
disposition of medical and business records. Establishing sound policies
and procedures are critical for IG program success. It will serve to
communicate, educate, and facilitate compliance and enforcement.
Starting an IG initiative can begin with a gap assessment: understanding
where there are needs and organizational pain points. From this, a solid
strategy can be built along with a development committee to formalize an IG
program that will initiate, establish, and execute. Leading industry
associations including AHIMA and ARMA (Association of Records Management),
are putting increased emphasis on governance, and health systems across the
country are undertaking IG initiatives with the focus they demand. By
leveraging best practices from both inside and outside the healthcare
industry, healthcare administrators can streamline their information access
and better enable enterprise-wide governance.
Healthcare Cyberattacks
In the past, the most common healthcare security issues were breaches into
patient data and personal information, most prominent examples were CVS and
BlueCross Blue Shield. Now there have been attacks to the U.S. hospitals
through ransomware. Ransomware viruses have evolved and can target
hospitals and other healthcare facilities. Earlier this year, attackers
took hostage to Hollywood Presbyterian Medical Center in Los Angeles.
Computers were offline for over a week until officials were forced to pay
the extortionists. In March 2016, Methodist Hospital in Henderson, Kentucky
was struck by a specific ransomware virus called Locky that prevented the
healthcare providers from accessing patient files. The facility was in a
‘state of emergency’ over the weekend and was systems up by the next
business day. The administrators refused to pay the ransom and simply
restored the hospital’s data from backups.
Conclusion
It seems that ransomware has taken the healthcare field by storm over the
past few years. While there can be no guarantee against being a victim, it
is necessary to implement an IG program that will manage the information
throughout its lifecycle – from capturing, processing, use of, and storage
of information. As the volume and variety of information in the healthcare
industry continues to grow, the need for information governance (IG)
becomes paramount. It is necessary to create and implement rigorous data
retention policies to ensure that only necessary data is maintained, thus
minimizing the amount of data subject to ransom.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161010/321f8b75/attachment.html>
More information about the BreachExchange
mailing list