The report also gave solutions to the problems they uncovered. Researchers stressed that their recommendations will need to involve every level of the healthcare industry, from device vendors to the hospitals and patients themselves. The researchers also said it will take many years for the industry to correct many systemic issues and create effective security programs. Below is a summary of the recommendations in the report.
For the Industry
- Focus on patient health, not just patient records
- Avoid or create effective regulations. HIPAA has created a system of confusion, fear and busy work that costs the industry billions. Healthcare organizations should be rewarded for proactive security work
- Empower the consumer with an industry-wide security ranking system to give them options when choosing a healthcare provider
- Empower the CIO/CISO by requiring security vendors to produce evidence of third-party security assessments
- Provide funds that could be used for medical equipment or staffing could improve the security of a facility
For Hospitals
- Follow the report’s blueprint (which is mentioned below)
- Create a long term security plan that is understood at the executive and board levels. Plans should address immediate and long term efforts, including financial, staffing, training, and technology plans
- Increase funding
- Separate Information Security from Information Technology with independent reporting structures at the board level
Another apect of the report is a security blueprint for healthcare senior executives developed to show the phases of security. The phases are discussed in more detail on pages 56 through 70 of the report. They include planning, organization, staffing, policy, architecture, inventory, hardening, training, audit and readiness.
The blueprint is an attempt to offer guidance. There is no way of establishing an exact timetable for these initiatives or an exact cost. Likewise, although the researchers put these steps in intuitive order, they acknowledge many steps will have to be implemented simultaneously and out of order. “This is why proper training in the beginning and throughout is so important. While it may be unavoidable, the further out in the order of phases that the organization seeks to act on without first acting on the previous steps, the more likely there will be waste in duplicative or lost effort.”
The researchers concluded that the healthcare industry’s security would benefit from research in the following areas: “reshaping hospital budgets so that they can most effectively account for proper security initiatives, addressing security issues found in active medical devices and other primary attack surfaces that directly interface with patients, how to reorganize hospitals to better serve security by granting the appropriate supervision of digital assets to the security personnel, and how to design and implement standards, best practice, or compliance programs that are effective but not counterproductive.
