Managing healthcare cybersecurity in 2020 pt.2

It’s widely accepted that healthcare has lagged behind other industries when it comes to cybersecurity, and that the industry needs to close the gap. Thankfully, healthcare managers can use standards to build resilience across diverse cybersecurity fronts simultaneously. Let’s start with the bigger picture.

In order to develop an effective security-specific strategy, healthcare leaders are able to examine their wider organizational standards strategy, across all operational aspects. This can help to ensure a reliable foundation on which to build (for example looking at pillars like ISO 9001, the internationally recognized quality management standard).

With the fundamentals covered, the next task for healthcare leaders could be considering the development of a formalized  cybersecurity policy – one which goes far beyond simply backing up data and frequently testing network security to identify potential gaps (although these remain important).

Managers can use the global information security standard ISO/IEC 27001 to create and implement a bespoke management system, and then ISO/IEC 27002 to develop guidelines that meet international standards. This may also help large healthcare institutions remain agile and responsive in the face of an incident or data breach.

Cloud-based services and storage policies will make up a significant portion of any wide-ranging security protocol. ISO/IEC 27017 provides enhanced controls for providers and customers. It clarifies roles and responsibilities to help make cloud services as secure as any other part of the healthcare IT estate.

A robust cybersecurity policy could be considered vital for decentralized systems, with users spread across several geographical locations or campuses. They should detail all security procedures, processes and responsibilities for staff – both for routine best practice and emergency protocols. It should underline the need for an ‘ever vigilant’ mindset which must be present across every healthcare organization.

A vital strand of any ISO/IEC 27001-based plan is the correct management of patient healthcare data and medical records. ISO 27701 helps healthcare leaders control this personal information. It outlines how to establish and run a privacy information management system (PIMS).

Consideration should also be given in the wider policy to the increasing prevalence of personal device use amongst staff, for routine work and administration. It needs to clarify exactly what’s acceptable, and what responsibilities users have (as well as which applications they can use and where specific risks lie).

Building and maintaining resilience to cyberattack will be always an ongoing, incomplete, process. It’s about building the right culture of awareness and responsibility across all management and staff, because healthcare leaders are fighting a constantly evolving threat. A standards-based approach is the most powerful means of organizational defence – optimizing the balance between efficient daily operation and appropriate protection.