BOSTON — Health and Human Services chief information security officer Christopher Wlaschin said there are three steps that hospitals should be taking today to bolster their security posture: join forces, treat your patching report like your profit-and-loss report and, at the very least, consider multifactor authentication.

“If you have the ability, then jump into the NH-ISAC,” Wlaschin said here at the Healthcare Security Forum on Tuesday. “They can help. It’s not just compliance, it’s also about preparedness and resilience.”

Several speakers including former Homeland Security Secretary Tom Ridge and President Obama’s cybersecurity coordinator Michael Daniel also recommended that infosec professionals participate in the NH-ISAC, which stands for the National Healthcare Information Sharing and Analysis Center.

UMC Health System information security officer Phil Alexander added that it’s not just the ISAC. Other options include the NIST and HITRUST frameworks, FBI and other listservs, Infragard.

Wlaschin’s second suggestion is to treat your patching report like a P&L — because it’s really that important to a hospital’s bottom line.

Whereas common key performance indicators healthcare CEOs consider are bed count, revenue, and compensation from CMS, to name just three, Wlaschin said the patching report should be among those KPIs.

If you cannot do either of those then at a bare minimum, Wlaschin advised deploying multi-factor authentication.

It’s no secret that many hospitals still struggle with budget constraints that inhibit them for joining an ISAC or even implementing multi-factor authentication technologies.

HIMSS Analytics Senior Director of Research Services Bryan Fiekers said that according to its latest Healthcare IT and Risk Management Study, participating hospitals allocate 6 percent or less of their IT budget to infosec. And that’s despite the fact that more half of IT shops own risk management within hospitals.

Fiekers said that HIMSS Analytics found the primary drivers of security investments to be risk assessments and HIPAA audits by HHS Office for Civil Rights.

“Those two are the cornerstones for IT security investments and that’s true across all the categories of people we interviewed, the business, clinical and IT,” Fiekers added. “Everyone’s in compliance on compliance.” 

HIPAA compliance is, of course, a mandatory baseline for securing patients and their data. Wlasich’s three tactics to employ right now build on that.

“Only together will we make the healthcare sector more resilient,” Wlaschin said.  “The tide raises all boats. Together we’ll address the problem, take care of the people who don’t have the resources, make ourselves less susceptible to attack and more able to provide the patient care we are capable of giving.”  

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com

 Read our coverage of HIMSS Healthcare Security Forum in Boston.
⇒ Healthcare must move from risk to resilience, Tom Ridge says
⇒ Equifax hack: What cybersecurity pros are saying about the breach
⇒ Slow breach detection, patching, operational snags handcuff healthcare security
⇒ As hackers become more destructive, security needs an all-hands approach
⇒ Obama's cyber czar warns of 3 troubling security trends
⇒ Old legacy devices pose greatest security risk, experts say
⇒ Why hospitals should join an ISAC immediately
⇒ 5 common HIPAA compliance pitfalls for healthcare orgs to avoid
⇒ FDA exec to medical device manufacturers: 'Bake security into the design’
⇒ 'Cybersecurity' term might be scaring off young talent
⇒ Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach