Issue link: https://securitytechnologyexecutive.epubxp.com/i/956571
22 SECURIT Y TECHNOLOGY E XECUTIVE • Februar y/March 2018 • www. SecurityInfoWatch.com HEALTHCARE SECURIT Y Like most technology, cyber security is outpac- ing regulation efforts making it difficult to under- stand law and policy in this often perplexing area of risk. Cyber criminals fully understand the instru- ments of their crimes remain relatively inexpensive and provide a hard to detect and oftentimes offer denial means for conducting criminal operations. Adding to this challenge, organizations continue to connect devices to healthcare networks with vary- ing degrees of built-in security features and fail to regularly patch software and firmware with the lat- est protection updates. These factors combined with the continuous new breed of cyberattacks healthcare organizations are faced with force security teams to increasingly rely on a trust in technology rather than a trust in people when developing adaptable and suc- cessful mitigation strategies. Top Threats: Workplace Violence Another emerging threat to healthcare that seems to reinvent itself annually is the harm resulting from behavior and conflict in the care environment. Hos- pitals and clinics are oftentimes emotionally charged atmospheres and have certainly been no stranger to violence. In fact, according to a 2002-2013 study conducted by the Occupational Safety and Health Administration (OSHA) serious workplace violence was four times more common in healthcare than in private industry (3). Adding to the concern is the prevalence and pace of social media, which contin - ues to surge, magnifying the role it plays in mental health and violence today. Protecting patients and staff from this fast forming and behavioral driven violence requires intervention to avoid harm to patients and staff. Increasingly, this responsibility for behavioral intervention is being undertaken in partnership with healthcare security and other care teams. Team-led organizational health and indi- vidual wellness based mitigation strategies allow healthcare security teams move further upstream of harm to prevention and preparedness. Over the last several years, many healthcare security teams have established successful behav- ioral intervention partnerships, however much work remains. This early success combined with extensive media attention and a public appetite for informa- tion around hostile intruder incidents has resulted in increased reporting of behaviors of concern by patients, staff and visitors to healthcare campuses. Healthcare security organizations have also expe- rienced an increase in attendance and requests for training and awareness programs related to recog- nizing behaviors of concern and surviving a mass casualty event. One large healthcare organization in Texas has experienced a 26.2 percent increase in active shooter training attendance from 2016 to 2017. The increased caseload generated by increased sensitivity and awareness stretches the capabilities of the highly trained staff working to intervene and lessen the likeli- hood of a tragedy on a healthcare campus. Top Threats: Insider Threats At the crossroads of cybersecurity and conflict and behavior intervention lies another emerging threat to healthcare organizations; the insider threat and its intentional and unintentional consequences. Yet another example of a threat that seems to transform itself annually introducing new risks and forcing adaptations to mitigation strategies. The insider threat can be especially challenging in healthcare and research environments that value the exchange of ideas and learning on behalf of treatment and sci- ence. The harm created by insiders with a knowledge of organizational culture often include the theft of intellectual property, cyber threats, violence and dis- ruption, criminal activity and exploitation of admin- istrative gaps. Therefore, successful mitigation strate- gies must combine cyber and behavioral prevention and protection elements to identify and address the organizational harm caused by insiders. In addressing the insider threat, healthcare security professionals will need to rely on a unified approach that crosses organizational boundaries and has the ability to effect change in policy and procedure. This team of organizational leaders will look to the health- care security executive for guidance around behavior, investigative methodologies and interpretations of legal considerations in elevating the collective suc- cess of the team. This reality moving forward requires security leaders and teams to review their existing skill set inventory to ensure they can adapt to the insider threat challenge in a constantly changing world. About the Author: W ith 30 years in military, municipal and campus policing , Raymond J. Gerwitz currently ser ves as the Director, Risk Strategy and Operational E xcellence for the Universit y of Texas Police at Houston at The Universit y of Texas MD A nderson Cancer Center and The Universit y of Texas Health Science Center. Director Ger wit z is a graduate of Oklahoma State Universit y and holds a Bachelor of Science in Computer Science, Masters of Science in Telecommunications Management and Masters of Business A dministration. In his current role Director Ger wit z prov ides executive leadership to the Strategic Planning and A nalysis, Operational E xcellence, Risk Mitigation, Risk Operations, Professional Recruiting and Development, Communit y Outreach and Law Enforcement Accreditation teams. Ransomware attacks and medical identity theft continue to trend upward despite the financial commitments made by healthcare organizations to better protect data and limit data breaches.