August 6, 2015
Though major security breaches are a snowballing problem in U.S. hospitals, many do not maintain a strong, up to date security program. Often, the security team consists of a Security Officer who has little authority and support. The security program or plan was developed years ago, and has had patchwork attention. The focus has been more on internal risks — like laptop or password theft — than on external hi-tech threats. But, with the extraordinary increase of massive attacks on organizations like UCLA and Anthem, such approaches to healthcare security are no longer an option. It’s time to be as smart as the bad guys. How?
Start — and keep going — with the right security team. Below, our Tom Grove identifies what factors are critical in assembling a fierce team that can ensure that the bad guys meet their match. Tom has worked extensively in the HIPAA / HITECH privacy and security arena for over 15 years. Here is his answer:
Clearly define purpose. Every hospital should define the purpose of its security program within the context of its organizational mission, goals, core values, physical design, technology, patient demographics, financial circumstances, human resources and other individual circumstances. If the defined purpose is not founded upon such organizational considerations, the program cannot choose a security team that will be committed to the program’s overall direction or structure, or provide realistic guidance and goals.
Choose a vigilant multi-disciplinary team. Because of the broad charter of the security team, a variety of members with decision making authority is needed. And, I wasn’t joking earlier when I used the word “fierce.” Authority is meaningless without commitment to the security program’s goals. “Commitment” must include strong concern for the organization and its patients, genuine capability, minimal political inclinations, and willingness and ability to follow through on meeting attendance, task execution, etc. A team with the right players to lead and manage the key security functions might include:
What decisions will this team make? Members should have familiarity with areas in which decisions will have to be made. At least some members should have strong experience related to these decisions. Examples include:
Consider including a top notch external security expert if you don’t have one in-house, at least for periodic assessments and recommendations. Despite costs, this step could be one of the best investments your hospital ever makes.
Unfortunately, in some organizations, developing and managing a security program has been viewed as a one-time event. Instead, the program should keep “going and going,” like the classic Energizer bunny. Continuing developments such as software and hardware changes, new organizational or financial goals, and increasingly sophiticated security threats require ever-diligent attention to security, both at the decision-making and technical levels.
The team should revisit the security program at least once a year or even more often, as events warrant. Abandonment of the team effort is a common and dangerous situation that should be prevented. The organization should have a strong team charter, nurture the group’s commitment to security through strong leadership, and require accountability at a job performance level in order to sustain long term viability and flexibility.
Finally, the appointed team must have absolute authority to make security-related decisions. Even if decisions are well researched and deeply considered, team efforts will be compromised if others have the ability to circumvent them, without consequences. Worse, the team will be essentially ineffective if senior management or clinical leadership has the authority to ignore or veto its decisions, and uses that authority. The team’s make up and charter should be strong enough to exclude this possibility, including allowing the team to have meaningful recourse.
If you would like to learn more about developing an effective security program, contact us.