Underfunding security is a fairly common practice in the healthcare industry, but CFOs need to recognize how critical it is to provide the appropriate resources for security initiatives and technologies.
Chief information officers like Ed Marx, CIO at Texas Health Resources, know convincing CFOs and CEOs and board members to fund security can be an uphill battle.
Marx and his colleague, Chief Information Security Officer Ron Mehring, pulled a harmless trick on their senior managers to prove a point, Marx told an audience at the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston in mid-September.
At a meeting with senior managers, Marx and Mehring passed out envelopes to each person. In the envelopes were each manager’s password. Marx and Mehring told the managers it only took them a matter of seconds to hack into their accounts and get them.
“We got their attention and ever since have gotten the resources we need for security,” Marx said.
The healthcare industry historically has been so lax with security that even the basics are overlooked, such as patch management and overall IT asset management, said Nathan Russ, Symantec’s director of healthcare, at the Privacy and Security Forum.
And with security attacks such as the hacker breach of 4.5 million patient records at Community Health Systems or Anonymous attacking Boston Children’s Hospital last spring, achieving true security requires surpassing security-by-compliance and it must be systemic to succeed.
“This is not an information technology problem. It’s an enterprise-wide problem,” said Cris Ewell, the chief information security officer at Seattle Children’s Hospital.
This article is based on a report published on Government Health IT.
Related Video: