Although new IT security solutions appear regularly with promises of a fresh approaches and technologies for protection, Stephen Cobb, senior security researcher with security software maker ESET North America, suggested that healthcare IT leaders look to a medical model for security before buying more security products.

These IT managers should regard their organizations as patients and address the most glaring security needs first, much like establishing triage.

“Every organization has limited resources, and triage is a way of looking at a patient, finding out the most urgent problem and determining the appropriate cure,” Cobb said.

See all of our HIMSS16 previews

Last year, a long list of healthcare organizations were hit hard by security breaches, among them UCLA Health System, Indiana-based St. Mary's Medical Center, and Montefiore Health System in New York.

The publicity around these events has propelled healthcare to the forefront of IT security discussions, especially related to the protection of personal patient data and what can be done to better protect it.

While that usually means re-examining the effectiveness of existing security systems and repairing or re-enforcing solutions already in place, Cobb said the triage approach is the most realistic and cost-effective.

Healthcare organizations “don’t need to spend a lot of money on a new security solution that does not cover basic needs,” Cobb said.

Cobb will address this issue in a presentation titled “Cybercrime Triage: Managing Health IT Security Risk,” at HIMSS16, which begins late February in Las Vegas.

Fundamental bulwarks of a security posture that must be maintained, to be certain, including deployment of anti-malware, encryption, backup, and authentication applications.

“These things are very, very powerful products,” Cobb said. “But you have to make sure you use them to their best before you go off and invest in new technology.”

And other factors come into play when building effective security models. In fact, there are significant differences among healthcare organizations that should help determine each one’s security posture. A rural hospital system will operate differently than one in an urban environment and should be evaluated accordingly.

Additionally, human factors determine many security failures. Users who don’t follow rules, systems that are improperly configured, features that are turned off are just a few examples. These failures should be repaired and policies governing them reinforced, Cobb addeed.

Contributing to healthcare organizations’ vulnerability, Cobb said, is a historic lack of vigilance about security, compared to the banking and retail sectors. This may be in part due the nature of healthcare as a service activity as opposed to banking, which is more aware of the bottom line.

[Like Healthcare IT News on Facebook]

“Doctors and nurses get up every day to do high risk jobs,” Cobb said. “Criminals get up every day to steal your data.”

The session “Cybercrime Triage: Managing Health IT Security Risk,” is scheduled for March 1, 2016 from 8:30 to 9:30 a.m. in the Sands Expo Convention Center Palazzo L.

Twitter: @HealthITNews