Recently, after 30 years of driving, I finally had my first major car accident. Someone cut me off in a big work pickup truck and I barely had time to hit the brakes. My car was totaled. My neck still bothers me over two months later even though I was only going about 30 mph at the time. While I have always been safety conscious, this has convinced me even more about the necessity of driving slower...especially on the highway — if this is how a 30 mph crash affects my body, what would 70 mph be like??
Naturally, when driving we tend to get into the mindset of "I need to get there as quickly as possible"but it really should be "I want to get there without incident." In the business world the equivalent to our obsession for "getting there quickly" would be "I need to move this product/service/enhancement to market as quickly as possible." But when we have this mindset, we open ourselves up to more risk.
"I never want to go through that again!"
Those are my sentiments about the accident, and I have taken steps to further reduce the likelihood of such an accident — buying a large fire engine red SUV and reducing my highway speeds.
Similarly, I have observed that those who are the most diligent about cybersecurity are those who have been through a major ransomware incident.
The COO of one Hospital told me — after their Hospital had been down for many weeks due to ransomware — (paraphrasing)
"I never want to go through that again. Previously I prioritized clinical needs over IT and Security requests, but now I will prioritize them equally."
Whether it be a hasty adoption of a new technology, or a failure to implement cybersecurity measures to keep up with the changing world, "speed kills" should always be on our mind. However, Security should not slow down the speed of business. Quite the contrary — the goal of security is to help the business to advance quickly and securely.
You may have heard the quip "Why does a car have brakes?" The counterintuitive answer? "To go fast." Without brakes, would you feel safe going fast in your car? No. You would drive more slowly. Similarly, in the Business world, when there is a good cybersecurity program in place, it allows the business to move more quickly.
"Why does a car have brakes?" "To go fast."
Right now you're thinking "that's nice, Justin, but how does that actually work in practice?" (No, I don't have a mind reading neurological interface — more on that in an upcoming blog on privacy)
At MEDITECH, a major Electronic Health Record (EHR) vendor where I worked for 22 years, we developed a patient portal product and engaged a third party video conferencing solution so that clinicians could easily interact with patients — patients using the patient portal on a mobile device, clinicians using the MEDITECH EHR.
How was security involved in this project?
A security review of the third party video conferencing solution was performed to ensure that
The vendor followed good cybersecurity practices
The product itself had been tested by a third party security firm
The product would allow us to meet HIPAA Security and Privacy requirements
The security team worked closely with Product Development early in the project to ensure that our implementation of the solution would meet the security, privacy, and compliance requirements
Finally, the solution was tested by a respected third party application security firm
Then the pandemic happened!
All of a sudden there was a major demand from all of our customers for the video conferencing feature! But no one wanted an insecure application — everyone had questions before they would deploy this. So we — the Security team — created a document for our customers which outlined all of the due diligence we had performed, as well as how this application met the security and privacy requirements of HIPAA.
By providing evidence of our due diligence, we were able to move quickly and deploy this solution to many customers. One CIO even told me "I know that you are very thorough, so I trust that we can implement this solution."
So how did Security allow us to move quickly?
Security was built into the process from the beginning
We did our due diligence
This built TRUST with our customers
That is how Security enables great features like patient telehealth.
Brought to You by the Letter "S"
Okay - now back to the title of this blog. How did I come up with this statement and what does it mean?
It happened that I was at a meeting held with the executives from a healthcare partner of MEDITECH. It so happened that my presentation on Security was last on the agenda.
The earlier presentations were an exciting showcase of the great progress that had been made in Electronic Health Records. These systems improve care, save lives, and facilitate interactions between clinicians and patients.
The topics covered included:
Patient Engagement (and the video visits feature we just discussed)
Electronic Prescribing
RESTful APIs which enable the creation of consumer health apps
Interoperability which allows for the easy exchange of healthcare records between Hospitals
Interfaces between the EHR and medical devices
Web based EHR applications available over the Internet to clinicians on their tablets, smartphones, and other devices
Secure yet frictionless authentication for Clinicians
It was exciting to see the progress that had been made in these vital areas. These are all essential improvements which benefit all of us!
Next, I got up to speak. After reviewing the various projects we had just discussed, I said:
"All of the following were brought to you by the letter 'S' — 'S' for Security."
Yes! All of these projects were possible because of the work done by the Security team.
Imagine for a moment what nightmare scenarios might happen without Security, Privacy, and Compliance involvement in these projects.
Consider these probable headlines.
Hackers Snoop on Private Video Visits and Blackmail Pyschiatric Patients. One man commits suicide.
Hospital fined $2 million for EHR Data Breach which exposed the data of over 200,000 patients.
Patients Turned Away for the Third Week as Hospital Recovers from Ransomware Attack.
Hackers Obtain Narcotics by Exploiting a Flaw in a Popular Electronic Prescribing system.
In Conclusion —How does Security Enable Business?
Keeps you out of the news — protecting your reputation
Smooths out the sales process — "is this product secure? Does your organization have security embedded in all its processes? Do you have a SOC 2 or ISO 27001 certification?"
Within Contracts — Whether it is a contract with a customer or a vendor, cybersecurity clauses are written into contracts so that all parties clearly understand the responsibilities and expectations of each party.
Reassure Your Customers after the sale — when a system similar to yours is hacked, the security team can provide details on how your product is secure, or updates and mitigations necessary to secure it.
Encourages Investment — Now more than ever, investors are looking for information about your cybersecurity risk management! (Check out recent SEC requirements here)
Need the assistance of a privacy, security, and compliance expert? Contact me via email (Justin@ArmstrongRisk.com) for a free virtual meeting.
Disclaimer: The information provided here (“material”) is intended for informational purposes only and does not constitute legal or professional advice. This material is not warranted to be exhaustive or complete. Additionally, every organization has a unique set of circumstances, business requirements, contractual obligations, and regulatory compliance requirements which we are unaware of. No guarantee is made that use of this material will secure your organization and help you to meet your compliance obligations.
Comments