IT security models have evolved

BOSTON—The very first IT directors hired in healthcare worked in the finance, accounting or human resources. That history of CIOs reporting to CFOs makes the relationship cost-driven instead of strategy-driven, said Mansur Hasib, CISSP, PMP, CPHIMS, author and professor in the University System of Maryland, speaking at the 2015 Privacy and Security Forum.

Half of U.S. healthcare is still run by CFOs, Hasib said. “Who is driving the strategy at that point?”

In March 2013, Hasib’s doctoral study survey revealed that one-third of healthcare organizations had no CISO and one-fifth of those had no plans to hire one any time soon.

Hasib listed the top healthcare data breaches: Anthem at 78.8 million affected; Premier Blue Cross Blue Shield with 11 million affected; Community Health Systems with 4.5 million affected; Xerox State Healthcare with 2 million affected; and the Montana Health Department with 1.1 million affected.

An analysis of those breaches found a lack of cybersecurity culture including lack of leadership, lack of CEO accountability, failure to understand mission success, improper analysis of risk and CEOs viewing problems as a technology issue. In the face of a breach, most healthcare organization blame and fire CIOs and CISOs.

Hasib said the importance of the role people play in cybersecurity was realized relatively recently. Models established in the early 1990s did not include people but many organizations are still using an early model for their cybersecurity planning. Even once models factored in people, there were problems. Awareness training by itself doesn’t do anything, he said. “We need to engage people and focus training on their job role. Cybersecurity to doctor means nothing but if you focus on the safety of data in their job role, they will get it.”

Hasib said when he is teaching he uses the term data safety because clinicians can relate to patient safety.

He also said organizations must remember that cybersecurity is not a state. “You have to have continuous improvement.” To determine how best to use its resources, an organization must consider its mission because “your entire strategy has to fulfill that mission.”

The determinants of innovation and productivity, Hasib said, are knowledge, attitude, skill and habit. Attitude and habit have the highest impact. “Happy people learn more.”

Culture also is vital and has four elements: shared values, rituals, heroes and a social network guarding against deviations. “Data loss has to be zero so make it a key value.”