Could attitudes about cybersecurity in the healthcare sector be at a tipping point? In the past, many healthcare entities approached information security as a compliance issue. But a new report shows the tide finally may be changing, says David Finn, health IT officer at Symantec.
The second annual HIT Security and Risk Management Study, which was conducted by Symantec and HIMSS Analytics in late 2016 and presented at the HIMSS17 conference, found that more organizations are beginning to see cybersecurity issues as much more than a compliance "check box" chore, Finn says.
"The business people are beginning to view the main driver for doing security as a business risk issue, not a HIPAA compliance issue. And that could really be a major change for the industry if we are making that shift, because now it becomes an organizational imperative," he says in an interview with Information Security Media Group. "It's about the business, not just what those IT guys have to do."
Another finding from the study is that "clinicians want more end-user training," Finn adds. "They want to understand what security is, how it works, how it benefits them and what they need to do."
In the interview (see audio link below photo), Finn also discusses:
- How much budgets for security are growing at many healthcare organizations;
- The importance of implementing a security risk framework, and the top frameworks being adopted;
- An update on the work of the Department of Health and Human Services' cybersecurity task force. Finn is a member of the group, which was mandated by the Cybersecurity Information Sharing Act to study the cybersecurity challenges faced by the healthcare sector and how those struggles compare with other industries.
Before joining Symantec, Finn was CIO and vice president of information services for Texas Children's Hospital, where he also previously served as the privacy and security officer. Earlier, Finn spent seven years as a healthcare consultant with Healthlink - formerly IMG - and PriceWaterhouseCoopers. He has more than 30 years of experience in the planning, management and control of IT and business processes.