Though major security breaches are a  snowballing problem in U.S. hospitals, many do not maintain a strong, up to date security program. Often, the security team consists of a Security Officer who has little authority and support. The security program or plan was developed years ago, and has had patchwork attention. The focus has been more on internal risks — like laptop or password theft — than on external hi-tech threats. But, with the extraordinary increase of massive attacks on organizations like UCLA and Anthem, such approaches to healthcare security are no longer an option. It’s time to be as smart as the bad guys. How?

Start — and keep going — with the right security team. Below, our Tom Grove identifies what factors are critical in assembling a fierce team that can ensure that the bad guys meet their match. Tom has worked extensively in the HIPAA / HITECH privacy and security arena for over 15 years. Here is his answer:

Clearly define purpose. Every hospital should define the purpose of its security program within the context of its organizational mission, goals, core values, physical design, technology, patient demographics, financial circumstances, human resources and other individual circumstances. If the defined purpose is not founded upon such organizational considerations, the program cannot choose a  security team that will be committed to the program’s overall direction or structure, or provide realistic guidance and goals.

Choose a vigilant multi-disciplinary team. Because of the broad charter of the security team, a variety of members with decision making authority is needed. And, I wasn’t joking earlier when I used the word “fierce.” Authority is meaningless without commitment to the security program’s goals. “Commitment” must include strong concern for the organization and its patients, genuine capability, minimal political inclinations,  and willingness and ability to follow through on meeting attendance, task execution, etc. A team with the right players to lead and manage the key security functions might include:

• Chief Security Officer (Chair)
• Chief Information Officer
• Chief Medical Officer
• Chief Nursing Officer
• Chief Compliance Officer
• Chief Legal Officer
• Chief Operating Officer (or, in smaller hospitals, the Chief Executive Officer)
• Director of Building Security
• An executive from Human Resources with the authority to approve organizational policy that impacts employee rights and responsibilities.

What decisions will this team make? Members should have familiarity with areas in which decisions will have to be made. At least some members should have strong experience related to these decisions. Examples include:

• Technology purchases, including both directly related security hardware and software, such as network scanning tools; and application purchases that have significant security implications such as a patient portal.
• The hospital’s overall security posture. Security is a balancing act between absolute security, where people are prevented from doing their jobs because they can’t access information, and no security, where anyone has full access to sensitive information, with the risk of releasing it, changing it, or making it unavailable. The many decisions required to define this organization-wide posture must be made by the security team. By design, this criterion requires a broad cross-section of the affected constituents.
• The hospital’s acceptance level of security risks. It is impossible for any effective healthcare organization to be perfectly secure in posture, considering its public-facing, patient-oriented objectives. Depending on its circumstances, every organization must create a list of risks to be accepted — mitigated through current activity or scheduled for later, or at least monitored for further developments. The seriousness of such risk decisions requires the participation of corporate officers with the authority to accept the risks. To better understand how’s and why’s of risk management, download our Security Risk Management Report.

Consider including a top notch external security expert if you don’t have one in-house, at least for periodic assessments and recommendations. Despite costs, this step could be one of the best investments your hospital ever makes.

Unfortunately, in some organizations, developing and managing a security program has been viewed as a one-time event. Instead, the program should keep “going and going,” like the classic Energizer bunny. Continuing developments such as software and hardware changes, new organizational or financial goals, and increasingly sophiticated security threats require ever-diligent attention to security, both at the decision-making and technical levels.

The team should revisit the security program at least once a year or even more often, as events warrant. Abandonment of the team effort is a common and dangerous situation that should be prevented. The organization should have a strong team charter, nurture the group’s commitment to security through strong leadership, and require accountability at a job performance level in order to sustain long term viability and flexibility.

Finally, the appointed team must have absolute authority to make security-related decisions. Even if decisions are well researched and deeply considered, team efforts will be compromised if others have the ability to circumvent them, without consequences. Worse, the team will be essentially ineffective if senior management or clinical leadership has the authority to ignore or veto its decisions, and uses that authority. The team’s make up and charter should be strong enough to exclude this possibility, including allowing the team to have meaningful recourse.

If you would like to learn more about developing an effective security program, contact us.