13 WWW.HEALTHSYSTEMMGMT.COM exercise; this is a serious effort that must be done regularly because the threat landscape changes continually,” Nanji admonished. “I suggest every 6 months — and at very least every year — a facility performs an analysis to see if the right tools and software are in place to support all of its interactions to the outside world through any electronic means. It requires a multi-pronged, multi-layered, very thoughtful approach involving a lot of people, a lot of teams and a lot of training.” The need for consistent ongoing security checks is also heightened by the nature of the healthcare workplace, Nanji noted. “One of the big problems with EMRs is the fact that there are so many different types of users. With different users you want to segregate what each one can view or edit, etc. But maintaining a ‘role-based access control system’ — one in which privileges are based on whatever role a user plays within the healthcare system — can be very thorny. You will always have transitions — people get promoted, demoted, fired, retired — so privileges must constantly be adjusted and updated. It is a difficult process.” CULTURE OF SECURITY Asked what a security culture really looks like, Nanji said it looks like dedicated training, explicit policies, procedures and standards. It looks like a very cohesive governance structure. It looks like strong C-suite understanding that cracks in security could happen at any time, and a parallel understanding that a risk analysis by an external party every year can bring to the surface problems that might not otherwise be recognized in-house. He also advised that healthcare system managers keep in mind “… the EMR system is just one component. It’s not the only system that must be safeguarded. It might be one of a hundred applications that store information, and there may be 50 applications sending information back and forth to the EMR. It is a delicate information ecosystem and your entire information platform must be reviewed. “The EMR certainly is a critical component, but it is not the only component. It may be a healthcare system’s biggest repository of information, but a weakness anywhere could lead to inappropriate access to an EMR and that could lead to disaster. There is no single switch.” REFERENCES 1. Sheridan K. Major cyberattacks on healthcare grew 63% in 2016. DARKReading. www.darkreading.com/ attacks-breaches/major-cyberattacks-on-healthcaregrew 63--in-2016/d/d-id/1327779 2. Shahani A. The black market for stolen health care data. NPR. February 13, 2015. http://www.npr.org/ sections/alltechconsidered/2015/02/13/385901377/ the-black-market-for-stolen-health-care-data 3. Thompson C. Here’s how much thieves make by selling your personal data online. Business Insider. May 27, 2015. http://www.businessinsider.com/heres-how-much-yourpersonal data-costs-on-the-dark-web-2015-5 4. Hu E. Anthem hack renews calls for laws to better prevent breaches. NPR. February 2015. www.npr.org/blogs/ alltechconsidered/2015/02/05/384099135/anthemhack renews-calls-for-laws-to-better-prevent-breaches 5. Institute for Critical Infrastructure Technology. Hacking Healthcare IT in 2016: Lessons the Healthcare Industry Can Learn from the OPM Breach. January 2016. AFTER VISITING HOURS . . . A NUTRITIOUS BREAK The more wholesome foods your staff and visitors want . . . The healthier bottom line you want. There are 3 SUBWAY® franchise options available for your healthcare facility: 1. Earn rental income by leasing space to an experienced SUBWAY® franchisee who will invest to build, equip, staff, and operate the restaurant. 2. The healthcare facility can become a SUBWAY® franchisee to own and operate. 3. If the facility has a food service contractor for managing your retail operations, it may already be a SUBWAY® franchisee or it may become one. The contractor can also operate, manage, or sub-contract space to a SUBWAY® franchisee. Contact Dominic Contessa 1.800.888.4848 x 1351 or 1.203.877.4281 x 1351 E-mail: Contessa_D@subway.com Or visit www.subway.com SUBWAY® is a Registered Trademark of Subway IP Inc. ©2017 Subway IP Inc.
Health System Management • January 2017
To see the actual publication please follow the link above