Healthcare organizations should adopt a cyber framework and not only focus on HIPAA, as the requirements defined by HIPAA by themselves do not adequately address cyber risks. Cyber frameworks such as the NIST Cybersecurity Framework or the CIS Critical Security Controls are purpose-built for today’s cyber risk environment. In my opinion, these frameworks fill in the “gaps” in HIPAA’s requirements.
No. Healthcare is increasingly using technology, and thus is increasingly susceptible to the challenges of using technology. Healthcare isn’t turning back to paper, so these challenges are here to stay.
Healthcare faces the same challenges as every industry, ranging from patching servers in a timely manner, to ensuring that the supply chain is secure. I think the distinction for healthcare, is that many organizations are late to understanding the importance of security as a patient safety measure. NewYork- Presbyterian’s Board and CEO level understands the criticality of information security to delivering safe and effective patient care. NewYork-Presbyterian has embraced cyber frameworks, and is investing in cyber technologies deployed in other industry verticals.
Medical devices are currently a major risk for healthcare organizations as the device manufacturers have all too often focused on functionality over security controls. And, at times physicians have opposed controls being added to devices because they viewed the controls as burdensome (e.g., having to login to a medical device). NewYork-Presbyterian is actively engaging device manufacturers on the security of their products, as well as joining MDISS, an organization that offers a promising means for collaboration between manufacturers and healthcare organizations.
Healthcare is increasingly using internet connected medical devices, telehealth, and other cutting technologies to deliver more timely and efficient care. However, these initiatives are at risk if healthcare does not adopt cyber controls to protect this information and the systems supporting these new initiatives.
Multiple leaders and groups at NewYork-Presbyterian look at this issue, including our analytics team, Chief Transformation Officer, and leaders across all departments. NewYork- Presbyterian is becoming increasingly effective at utilizing information because we have focused on collaboration, and breaking down silos between business lines and IT. This has led to innovative programs such as our telehealth initiatives, including our NYP OnDemand platform which provides for capabilities such as digital second opinions, virtual visits and TeleStroke care.
The most important lesson is to listen and be open to ideas. IT leaders can be siloed from the individuals and business functions they support. Collaboration starts with listening to the business and working together on solutions.