Pratum Blog

Healthcare Information Security

We’re often asked to describe the current state of Information Security inside of specific industries, by our customers and partners. This is certainly the case inside of Healthcare, and our answer may surprise you. We can say historically that information security in healthcare is underfunded and often underprioritized. Although in the last 12 months, many IT leaders and C-Suite executives are recognizing the need to allocate more funds and to start new initiatives.

Unfortunately, many of the funds tend to funnel toward software, hardware, and various security products, which is a shortsighted approach to information security. We need to make sure that strategy is at the foundation of the program. Information Security is so much more than “Cybersecurity”. A true Information Security program includes the technical component or “Cybersecurity” but it must also include the Physical and Administrative aspect as well. A comprehensive and holistic Information Security Program is one and the same with an Organizational Security Program. Security is not just in IT Department initiative. That’s why there must be total organizational buy in.

What does the recent data say about healthcare?

April was a particularly bad month for healthcare, with 41 reported incidents. The severity of some of the breaches reported last month puts May on a par with April although there were only 29 healthcare breaches reported in May. However, 838,587 healthcare records were exposed or stolen in those incidents. The average breach size was 28,917 records.

Where do the recent threats originate?

Unauthorized access/disclosure incidents were the most common cause of breach in May with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

How can a healthcare organization better protect themselves against these recent threats?

As previously mentioned, strategic engagement still leads the way to understand risk and plan properly to guard against criminal hackers. On-going Vulnerability Scanning, Penetration Testing, and SIEM also are great tools to test and monitor potential incidents. We’re also seeing an increase in healthcare organizations that are evaluating new PIEM (Patient Incident Event Monitoring) solutions. Maize Analytics and Protenus are two newer players grabbing market share from Fair Warning and Iatrics. When evaluating a PIEM solution to monitor and regulate unauthorized access to patient records, check for a solution that offers clinical context for the access with real time data, rather than a solution that simply performs a small selected scan and only offers a probability score.

For more information on how to protect your healthcare organization, visit our Healthcare Security landing page.

All statistics in this article complements of

Pratum, Iowa-based information security consulting and managed security services firm, today announced that David A. Cotton, Brigadier General, USAF (Ret) assumed the position of Strategic Security Advisor effective March 19, 2018.

As Strategic Security Advisor of Pratum, David is responsible for helping set the strategic vision for the company’s information security consulting and IT risk management services while simultaneously serving as a Virtual Chief Information Security Officer for multiple clients in various industries.

David A. Cotton, Brigadier General, USAF (Ret)

“David’s vast experience leading cyberspace operations for the US Air Force, along with his deep knowledge and expertise in the areas of strategic planning and crisis management, will provide Pratum’s clients with cybersecurity leadership that is typically only available to the Department of Defense or Fortune 500 companies,” says Dave Nelson, CEO and President of Pratum.

David is a customer-centric cybersecurity, information technology, and change management senior executive with over 20 years of experience leading large, complex, diverse, global operations. He is the former Chief Information Security Officer for Iowa State University; a four-time Chief Information Officer while serving in the US Air Force, retiring as a brigadier general; a corporate cybersecurity VP for TASC Inc., a then-private defense and intelligence contractor focused on cybersecurity, intelligence, surveillance and reconnaissance operations, geospatial intelligence, data analytics; and a member of the Defense Department’s Senior Executive Service and Deputy CIO for Information Enterprise, with the portfolio of developing the policies and governance constructs to enable enterprise services, as well as the upgrade and restructure of the global network security architecture for the military services and Defense Agencies.

The quality and caliber of the Pratum staff has always impressed me, but the hiring of General Cotton shows they will stop at nothing to attract the best talent possible.”

Joey Beech, Executive Director of Ankeny Economic Development Corporation

David will oversee the development of clients’ security programs and work directly with them to improve their security postures. His experience and strategic security vision for the future encapsulates the value Pratum offers clients through its information security services.

Contact Pratum

Individuals serving as officers or directors of an organization have a responsibility to investors and clients to ensure that the organization is being run well. This includes multiple facets of the organization’s operations such as finance, regulatory compliance, people management, and risk management.

There is so much responsibility placed on these individuals that an entire insurance market is devoted to protecting them through the sale of officer and director liability policies. Evidently, the roles of officers and directors are so important that a mistake in their judgment could create significant losses. Why is it that so many in this role continue to allow information security to be a blind spot in their oversight?

Officers and directors need to take a more active role in assessing how well organizations are handling the threat of a data breach.

Take these steps to provide board level visibility into cybersecurity preparedness.

  • Implement an IT risk management program to identify, classify, track and address technology risks within the organization. This not only helps identify risks but also provides a prioritized action list to ensure time and money is being spent on the largest risks, not just pet projects.
  • Require a quarterly or semi-annual report on cybersecurity including any incidents, performance metrics or other data to ensure progress is being made towards your security goals, and that a positive return on investment is being realized for information security expenditures.
  • Ensure the individual responsible for information security has at least a dotted-line reporting structure outside of the technology group. This is extremely important to ensure that security voice is heard and not squashed by the very management it is reporting on.
  • Require a robust incident response plan be generated with predefined team members, third party experts and general counsel. The time to determine how to respond to a breach is not during the breach. Test the plan annually in order to continually adopt to changes in business practices or regulatory requirements.
  • Use a common information security framework such as NIST, ISO, HITRUST or PCI to guide security activities and expenditures. These frameworks have been fully vetted over the years and ensure a consistent approach to information security.
  • Consider using an external security firm to perform a security assessment to ensure the standard of due care and due diligence have been met.

Officers and directors will be called upon more frequently to defend an organization’s information security practices as legal proceedings increase due to data breaches. By requiring a basic level of protection and receiving regular updates on security activities board members will be better prepared to answer questions about the maturity of their organization’s cybersecurity posture.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.