It’s not enough to simply implement security products to safeguard hospitals. Health IT professionals, rather, must use data generated by those security technologies to create programs that best protect their organizations, said David Severski, manager of the information security program at Seattle Children’s Hospital.

Call it data-driven security. Severski described it as the application of science and data to the practice of security and risk management.

“I draw a parallel with evidence-based medicine,” Severski said. “There you have a group of patients with some condition, you apply some treatment and hopefully they get better. If they do get better, then you do more of that treatment; if they do not get better, then you do less.”

Sign up for the Healthcare IT News Privacy & Security Update newsletter.

At Seattle Children’s Hospital, Severski leads a team that provides actionable, data-driven analyses to upper management.

“My team’s function is almost like a research arm: We provide intelligence to business leaders on how they can best allocate their resources,” he explained. “In healthcare, there never are enough resources for what organizations want to do, but at the same time, healthcare is a risky business. Business leaders are asking my team what the possible outcomes are of the decisions they have to make, so they then can make the decisions based on good knowledge.”

Severski used the area of patch management as an example where the data-driven approach benefits a security strategy.

“The team tackles such things as technical security risk management, which includes patch management,” he said. “There are lots of devices, from workstations to medical devices to servers, and the organization does not have enough resources to patch everything everywhere all at once. So, how do we prioritize our technical remediation efforts? What matters most and what will give us the optimal outcomes?”

[Also: Tips for protecting hospitals from ransomware as cyberattacks surge]

In patch management, the data-driven security team examines the assets that need to be protected, what the assets do for the institution, the data the assets can access, and how attackers can reach the assets.

“We have a program that pulls all that information in, then we optimize the information against our threat environment, in other words, to what Children’s is concerned about the most,” Severski said. “Then we draw our conclusions and provide intelligence to IT owners and business leaders, saying this is what you should be worried about first, and at the same time here are some things that are not as worrisome.”

Severski pointed to the common scenario of EHR system buried deep in an internal network amid layers of security. A hospital likely wants to patch that but data-driven analysis could potentially uncover other areas that attackers could strike so the hospital can work on those before patching the EHR.

Learn more at the upcoming HIMSS and Healthcare IT News Privacy and Security Forum, May 11-12, 2016, in Los Angeles. Register here. 

While a hospital must be concerned with protecting its EHR system, there are hundreds of applications even in a mid-sized institution like Seattle Children’s Hospital that have access to quite a bit of information; as a result, from an information security perspective, these other systems can present as great a threat to the institution as the EHR, Severski said.

“If you are not applying a data-driven, scientific approach to managing your resources, you are managing at best by instinct,” he added. “And in a competitive business world, instinct is not enough.”

Neither is tackling security the same way you’ve done since the 1990s.

“You have to apply the same rigor that you apply to building a new facility or investing in a new line of clinical services to your IT and IT security investments, as well,” Severski added.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn