Health and Human Services chief information security officer Christopher Wlasich speaking at the HIMSS Security Forum in Boston on Tuesday.
BOSTON -- Health and Human Services chief information security officer Christopher Wlasich said there are three steps that hospitals should be taking today to bolster their security posture: join forces, treat your patching report like your profit-and-loss report and, at the very least, consider multifactor authentication.
"If you have the ability, then jump into the NH-ISAC," Wlasich said here at the Healthcare Security Forum on Tuesday. "They can help. It's not just compliance, it's also about preparedness and resilience."
Several speakers including former Homeland Security Secretary Tom Ridge and President Obama's cyberescurity coordinator Michael Daniel also recommended that infosec professionals participate in the NH-ISAC, which stands for the National Healthcare Information Sharing and Analysis Center.
UMC Health System information security officer Phil Alexander added that it's not just the ISAC. Other options include the NIST and HITRUST frameworks, FBI and other listservs, Infragard.
Wlasich's second suggestion is to treat your patching report like a P&L -- because it's really that important to a hospital's bottom line.
Whereas common key performance indicators healthcare CEOs consider are bed count, revenue, and compensation from CMS, to name just three, Wlasich said the patching report should be among those KPIs.
If you cannot do either of those then at a bare minimum, Wlasich advised deploying multi-factor authentication.
It's no secret that many hospitals still struggle with budget constraints that inhibit them for joining an ISAC or even implementing multi-factor authentication technologies.
HIMSS Analytics Senior Director of Research Services Bryan Fiekers said that according to its latest Healthcare IT and Risk Management Study, participating hospitals allocate 6 percent or less of their IT budget to infosec. And that's despite the fact that more half of IT shops own risk management within hospitals.
"Those two are the cornerstones for IT security investments and that's true across all the categories of people we interviewed, the business, clinical and IT," Fiekers added. "Everyone's in compliance on compliance."
HIPAA compliance is, of course, a mandatory baseline for securing patients and their data. Wlasich's three tactics to employ right now build on that.
"Only together will we make the healthcare sector more resilient," Wlasich said. "The tide raises all boats. Together we'll address the problem, take care of the people who don't have the resources, make ourselves less susceptible to attack and more able to provide the patient care we are capable of giving."
Read our coverage of HIMSS Healthcare Security Forum in Boston.