Is a new Healthcare Cybersecurity Framework the answer?

by | Jun 29, 2017 | Compliance & Security, Third Rock

The Healthcare Industry Cybersecurity Task Force has asked the U.S. government to create new policies that would help healthcare providers improve their cybersecurity.  You can read about it in this article Cybersecurity task force seeks new security framework, exemption to the Stark law on Modern Healthcare. First let me state, I am all for a Cybersecurity Framework and I appreciate KLAS-CHIME and their work to survey the industry.  They are primarily focusing on the large and very large enterprise healthcare providers. Therefore, I question that the need is a new framework.  I work in this industry from the single doctor practice to the large enterprises.  Here’s what I see is needed and what we at Third Rock work on to improve and provide for our clients.

Problems that need to be addressed:

  1. Under funded.  Healthcare cybersecurity and IT are under budgeted when compared to other industries. Therefore, they are understaffed, under trained, under prepared and unaware at most levels.
  2. Ignorance in the industry.  The healthcare industry is behind on the cybersecurity front and in the IT arena, see #1.
  3. MS Windows is commonly used because of #1.  Windows is known to be insecure.  The standard installation of Win 7, 8, and 10 and Win Server 2008 and 2012 are below 70% compliant based on the NIST standard.
  4. The average physician’s practice is 14% HIPAA compliant.  This is based on the government’s findings.
  5. Several frameworks already exist.  The Mom & Pop, Very Small, Small, and Medium healthcare providers do NOT know these frameworks exist.  Nor do they have or can they afford to hire a cybersecurity expert to implement. Therefore, a new framework will not solve the problem.  For a good article on frameworks check out HealthIT Security’s How Healthcare Benefits from Cybersecurity Guidelines.

The approach we take:

  1. First, they need a gap analysis to know what they need to correct.  This is a Security Risk Analysis or HIPAA Risk Assessment.
  2. Then, they need a prioritized corrective action list that guides them to correct the top issues first and track that they are taking action.
  3. Many of these corrective actions are cybersecurity issues.  We provide a Cybersecurity Rapid Repair Guide.  This guide provides the basic steps for covered entities of any size to harden their computers and networks within a few hours of work.  Plus, it provides them a guide to ways to improve their cybersecurity and training for their staff.  It is a short, simple, easy to read guide to help them fix what needs to be fixed without hiring an expert or breaking the bank.

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

info@thirdrock.com | 512.310.0020