Blog
Healthcare Security – Security with Life and Death Consequences
Cybersecurity remains one of the most exciting technology jobs and one of the top sought-after positions by many technology professionals. It is also one of the most difficult positions for an employer to fill. Why is this the case?
When you think about cybersecurity, the mind often drifts towards the good versus evil of technology. Cybercriminals are seemingly everywhere, seeking to make a digital dollar off of the vulnerabilities of unsuspecting individuals and organizations. The security practitioner, on the other hand, is the sleuth who hunts down and neutralizes the threats, remediating the vulnerabilities. All of this, both the good and the bad, are accomplished from the safe confines of a room with a computer. No messy fights or murder scenes.
The day of a typical security practitioner can rise to the excitement level of dissecting an attempted intrusion through packet analysis, log review, and tracing other artefacts of criminal behaviour. It can involve interviewing techniques, seeking to find out what compelled a person to forgo all the security training and click on a suspicious link. Red and Blue Team exercises, threat hunting, and pen testing also add to the allure of the exciting security practitioner profession. Sleuthing at its finest, and exciting moments indeed!
A typical day for a security practitioner can also sink to the mundane tasks of policy, audit, metrics, and reporting. These topics, as well as endless meetings to explain password security and risk management can suck the enthusiasm out of the most passionate security advocate. Not as glamorous as the detective work, but equally necessary for an effective security program.
Sometimes, There Is Blood!
The day in the life of a security practitioner in the healthcare field is unlike the practice of most other industries. There are life and death consequences at stake in the healthcare field, and the security of the organization plays a vital role for those who work in the field as well as for the clients they serve. Whether it involves a small medical practice, or a large health institution, healthcare security has unique challenges at the managerial, operational, and technical levels.
A trained healthcare security practitioner understands these challenges from all perspectives of the information security discipline.
Healthcare Security and Privacy Management
Security and privacy management in a healthcare setting is distinctive from other professional settings due to the competing interests of security and life-saving organizational demands. As stated in the official (ISC)² HCISPP CBK , “Health Information Management…is a combination of business, science, and information technology.” This includes all aspects of workflow management, business process improvement and re-engineering, and regulatory compliance. While other businesses also have a focus on these topics, the urgency of the healthcare profession adds a heightened importance to these business processes. Few fields are as regulated and monitored as the healthcare industry, and this calls for increased efficiencies in all areas of managerial methods.
As an example, the seemingly simple flow of a patient’s admission, treatment, and discharge from a medical facility requires data management skills that are intertwined with security and privacy. Any lapse in one of the stages of a patient’s care is equivalent of losing a patient. A trained healthcare security and privacy practitioner recognizes the importance of these flows, ensuring no gaps in continuity.
Operational Security and Privacy
Managerial effectiveness is tied directly to operational efficiency. A properly functioning records management system is key to the data management flow mentioned above. Many businesses use a Customer Relationship Management (CRM) system to track client interactions, however, in a healthcare environment, the records management system is likely to contain much more sensitive information, requiring a stricter adherence to operational considerations.
Every aspect of records management in a healthcare setting carries greater security and privacy considerations. All phases of the lifecycle of a patient record must be protected, from the record’s creation, through to its destruction. This involves a keen understanding of procedures such as access control, separation of duties, storage, and records retention. A trained healthcare security and privacy practitioner possesses the operational skills to correctly protect digital records.
Technical Considerations in Healthcare
All the management and operational efficiencies must work together with technical functions in order to form a full security posture. In a healthcare environment, the technical controls go beyond those that you would find in most other corporate settings. When one considers the specialized equipment in a medical office, as well as the desire to control that equipment remotely, something as apparently trivial as a Wi-Fi password takes on a new significance. Not only is the medical equipment specialized, but its function is also highly specialized in the sense that intentional tampering of any equipment could result in dire consequences.
Technical controls in a healthcare environment must function within the tolerances of the emergency-based nature of the specific medical practice. For example, while a fingerprint may be an effective method of accelerated secure login, that would not necessarily be the best option in a sterile environment where surgical gloves are required. A trained healthcare security practitioner is best equipped to the requirements of the medical field and has the acute understanding of when a particular technical solution may or may not be the right choice for a given situation.
Portability of Skills
If you are considering pursuing (ISC)²‘s Healthcare Information Security and Privacy Practitioner (HCISPP) certification, you may wonder if this would lock you into the healthcare field. This is not the case. The skills gained from the knowledge will certainly add value to your current employer, in turn making you a valued member of a healthcare security team. The skills obtained in the process towards attaining the HCISPP certification will not only benefit you in the healthcare field, but they are easily transferable to any other industry. The ability to understand and function under the stringent security requirements of a healthcare setting would make almost any job outside of that field seem relatively straightforward.
How the HCISPP Certification Can Help You to Succeed
If you are currently a security practitioner working in the healthcare field, or you are looking to enter the area of healthcare security, the Healthcare Information Security and Privacy Practitioner (HCISPP) certification offered by (ISC)² is the perfect vehicle to enhance your knowledge and skills. Not only does this credential give you the skills you need to function at the highest levels of a healthcare organization, but it shows your employer that you possess specialized knowledge and dedication specific to the healthcare profession.
Download our white paper, Not All Life Savers Wear White Coats , to learn more.