On the final day of HIMSS19, professionals across the healthcare industry shared their real-world experiences tackling specific security and compliance challenges. Putting a microscope to these IT issues, presenters on day three in Orlando shared that it can be overwhelming—even uncomfortable—for organizations to evaluate existing networks, implement the latest innovations, maintain compliance, and more. Yet the overall takeaway from their experiences is that by establishing and following defined processes, organizations can fill security gaps for more efficient, protected, and compliant outcomes.
1. Good Intentions Aren’t Enough to Meet PCI Compliance
Healthcare organizations often have multiple credit card processing models and merchants throughout different departments, making them unique compared to retail organizations that often have only one, explained Jon Bonham of Coalfire and Philip Napier of Bon Secours Health System, Inc. This plethora of payment processors and transaction systems can be overwhelming to keep track of—let alone standardize—to meet PCI compliance (regulatory requirements that healthcare organizations must follow when taking patient and vendor credit card information). Beyond being unable to maintain PCI compliance, disorganization across point-of-sale systems and merchants can pose a threat to the security of credit card data, as well.
In addition to making sure your systems are properly protected with the right technology, it’s equally important to make sure that employees are aware of compliance regulations and follow them carefully. Even when they have the best intentions, those that aren’t properly educated also put credit card data at risk. The most common weaknesses are found when payment data is improperly stored, information is processed in flat networks, or payment information is sent by email.
“People are just trying to help,” Napier empathized. “They’re trying to help a patient pay their bill, they’re trying to help the hospital get the money, they’re trying to get the work done so they can do the rest of their work. They’re just trying to help.”
To help organizations lock down unsafe practices and bring diverse systems up to PCI compliance, Napier and Bonham stressed the importance of assigning responsibility and inventorying all existing processes to identify gaps. While unifying these systems may not be possible for large health institutions, setting similar processes between departments and assigning clear responsibilities can set a path to PCI compliance for healthcare organizations—with lots of testing and collaboration along the way.
2. One Use Case Does Not Fit All When It Comes to Big Data
Healthcare technology trends like big data appear to offer boundless opportunities for healthcare organizations to leverage information, but harnessing big data has proven to be a challenge for many, shared Sam Kalbag. During his session, Solving Emerging Big Data Challenges in Healthcare, he noted that healthcare organizations often set expectations too high, discover that their numbers aren’t actionable, or simply don’t see a decent ROI. For many IT teams working in and with healthcare institutions, finding the best use of innovations like big data, machine learning, and artificial intelligence can often get buried under existing management tasks built into workflows and processes.
Kalbag found that if healthcare organizations and healthcare technology companies turned their big data focus away from patient information and instead look at internal data, they could unlock ways to optimize their own inefficient workflows. To prove his point, he highlighted Cerner, an EHR company that shifted from a traditional database to a cloud-based platform. After the switch, their system was flooded by users all trying to access their tools at once. With the system strained to capacity, the IT team decided to take a step back and evaluate their users to improve their workflow and find a solution. By collecting data and analyzing how much time was spent in each application and program by doctors and clinicians, Cerner was able to determine usage, improve processes, and close gaps in their workflows for more efficiency. Ultimately, their experience shows that for organizations to make the most of big data, different perspectives can help make complex challenges more manageable.
3. For the Best Defense – Think Like a Hacker
Remote access is widely used by and highly useful for healthcare organizations across the world, allowing users to access information from other networks without being directly connected. Yet by its very design, remote access can be like a door for hackers with its ports, services, and protocols, explained Jen Stone from SecurityMetrics in her presentation Remote Access Security: An Ethical Hack Demo. To adequately eliminate doors or gaps in remote access, Stone urged healthcare organizations to conduct a risk assessment—and to think like a hacker. She noted that those in the healthcare industry often don’t like to take that perspective, but she emphasized that it is an effective way to find vulnerabilities that could otherwise be overlooked.
“Think of it more like a game, like escape rooms. You’re not actually locked up, but you can still go through the process,” Stone explained. “You can do the same thing with your risk assessments by thinking like a hacker.”
Following a diligent process like a risk assessment helps organizations protect and establish better security, which is an important component of meeting HIPAA compliance. Although the exercise might be uncomfortable or even strenuous for organizations, like Doron Kolton’s deception defense from his session on Day Two, these security strategies provide more proactive protection against hackers and other forms of cyberattacks.
Reflecting on HIMSS19
This week, our team had the pleasure of joining 45,000 healthcare IT professionals for innovation, education, and plenty of memorable moments. While the evolution of technology never slows—especially in the healthcare industry—Ntirety is excited to be a part of that ongoing conversation. We look forward to bringing the next great tech trend to life for organizations and partners around the world!
Ready to implement the latest healthcare innovations and need expert guidance? See how Ntirety’s newly expanded, end-to-end suite of managed cloud solutions reduce risk, optimize IT spend, and increase business agility.