Security budgets grow but breaches continue unless hospitals adopt best practices

IT Process Institute CEO Scott Alldridge said healthcare organizations need to support security spending and technologies with IT and process rigor to avoid breaches.
By Bill Siwicki
06:59 AM

Spending on cybersecurity in the U.S. will increase from $40 billion in 2013 to more than $60 billion in 2017, according to research from the Telecommunications Industry Association.

The number of security breaches reported to the U.S. government, however, increased from 61,200 in 2013 to 77,200 in 2015, according to a Government Accounting Office analysis, though the total number of breaches in the U.S. likely totals in the millions, experts said.

One would think with massively increased spending on cybersecurity protection, the number of security breaches would decrease. But that number, instead, continues to rise. This is in part because organizations do not follow all the security best practices available to them, from such firms as the IT Process Institute, the National Institute of Standards and Technology (NIST) and the Health Information Trust Alliance (HITRUST), said Scott Alldridge, CEO of the IT Process Institute.

“Our approach to strengthening the overall security posture of an organization actually starts with some foundational controls,” Alldridge explained. “We refer to them as blocking and tackling. If you start from a well-known and secure configuration and you move to another well-known and secure configuration, you will maintain system and security integrity. But we know we are in a world of constant change, and successful change is important to organizations. We are in a world of DevOpps pushing things quicker and quicker. But it’s important that the integrity of a configuration be maintained throughout the change process.” 


 Learn more at the Privacy & Security Forum in Boston, December 5-7, 2016. 


Alldridge points healthcare organizations to ITIL, the IT Infrastructure Library, for help with bolstering a cybersecurity posture.

“There are three closed-loop processes as defined in the IT Infrastructure Library that are foundational controls for any organization for not only driving availability and other benefits but also driving a solid security posture and uptime,” he said. “Those are configuration management, change management and release management. Simply put, if we have a server that we know is secure, validated, and the configuration is working, and someone wants to make a change, whether a patch or a new software release or a hardware change, any kind of change, then we classify change and we follow some rigor in that process.”

No security breach happens without a change or the need for a change, Alldridge added.

“So if in fact we manage change effectively, well and with integrity, then we know we will have a strong posture against security breaches,” he said.

Healthcare organizations still must have great security policies and procedures and solid security technologies in place, but studies show breaches are increasing while security spending is increasing and, as such, best practices that serve as the foundation for policies and technologies must be followed, Alldridge stated.

“The industry is too focused on point-based technology solutions and not focused enough on following best practices,” he said. “By following best practices, particularly these core control processes, you will have a much higher availability rate and fewer breaches. There is plenty of proof of that in our studies at the IT Process Institute. The statistics and the qualitative data and analytics are on our side. It’s managed by fact not by belief.”

Too often, executives consider security to be merely a feature that is bolted onto an existing IT framework or system, Alldridge said.

“But then, the underlying environment may be insecure,” he said. “So there may be a false sense of security. Executives get excited about employing new threat intelligence tools, but that can deter organizations from spending money on the hard work of employing and maintaining controls. If your IT control process is broken, it’s probably a good indicator your security is broken, too.”


 The Privacy & Security Forum takes place in Boston Dec. 5-7, 2016. 
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks

⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches


Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.