LOS ANGELES — Building on several best practices and basic blocking and tackling of cybersecurity, healthcare organizations must also take a higher-level view to effectively address the problems of today.

“Cybersecurity could not be more important. The breaches continue to happen, in the federal government, the private sector, it’s all over,” said Ronald Ross, a fellow and data scientist at the National Institute of Standards and Technology here on Monday at the Privacy and Security Forum.

In addition to outlining the new security engineering guidance document that NIST released on May 4, 2016, which he described as “the most important, most transformational,” he has worked on at NIST, Ross offered that high-level solution.

“Leadership, governance, and accountability will solve 90 percent of our cyberbreaches,” Ross said.

Sign up for the Healthcare IT News Privacy & Security Update newsletter.

Symantec health information technology officer David Finn agreed, saying that a strong leader with governance in place can then hold people accountable when those policies and procedures are not working.

“Governance has to include the CEO, CFO, the board,” Finn added. “Because that’s the only way it works.”

That approach should take into account: expenditures, insurance, regulatory compliance and “all the things that companies do to mitigate risk,” said PwC managing director Lisa Gallagher.

Kyle Gilliland, director of information security at Huntington Hospital said that healthcare entities cannot simply buy security.

“It starts with taking a look at your business needs and trying to build security into those,” Gilliland said.

Ross also said cybersecurity needs to be proactive, not reactive, and that healthcare organizations should build security into every facet of their business — and explained that when NIST was working on the new document, it reached out to engineers who build bridges, planes and other large systems to understand and incorporate their best practices. 

[Also: NIST to release new guidance for strengthening hospital cybersecurity]

“When a plane crashes or a bridge collapses, the first thing we do is call the engineers to find out why it happened,” Ross explained.

In the event of a data breach, however, healthcare organizations typically collect more threat intelligence, rather than actually understanding their own weaknesses to improve upon those.

NIST’s new guidelines can help lead entities in that direction, though Ross said regardless of which framework a hospital chooses, the best tactic is to pick one the organization understands, is comfortable with, and can execute against.

“The only way to improve security is to architect and engineer your system,” Ross said. “You have to use engineering techniques to limit the damage adversaries can do.”

Twitter: @SullyHIT
Email the writer: tom.sullivan@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn