by David Stone
Healthcare organizations are under constant threat of unauthorized access to their computing environments. Organizations face everything from monitoring by regulatory agencies to high penalties if unauthorized access and data breaches occur. As healthcare moves quickly to address computing environment threats, it is prudent to leverage the frameworks and models developed by non-healthcare entities to speed the deployment of effective solutions. In this paper, we will examine two popular frameworks, the Three Lines of Defense Model and the National Institute of Standards and Technology (NIST) Cyber Security Framework, and how they can be leveraged to optimize an information security organizational and governance structure.
As healthcare organizations decide how best to address the constantly changing cybersecurity threat landscape, they have many important questions to answer:
- What gaps and vulnerabilities exist in the current information security program?
- What are the components of a complete information security program?
- How should roles and responsibilities be assigned?
- What is the most effective governance structure?
- How should an information security team be structured?
- What technologies should be deployed?
While healthcare information technology and security organizations have been aware of increasing issues and concerns, they have not been provided the attention or, more importantly, the funding needed to fully address security threats. With the recent attention healthcare is receiving from data thieves, regulatory agencies, and the media, healthcare executive management and boards of directors are demanding appropriate steps be taken to protect IT and data assets. Other industries, particularly the financial industry, have dealt these issues and level of scrutiny for many years. Multiple industry groups have examined the issue of cybersecurity and developed different models and frameworks to assist their peers in deploying countermeasures. When combined, the following two frameworks provide an excellent blueprint for establishing an effective information security program and an optimized organization.
