The Joint Commission Issues NewQuick SafetyAdvisory on Building a Culture of Cybersecurity
Health care requires an all-hands approach to cybersecurity, including the establishment of a data safety culture that permeates an entire organization and its operations.
Mon Oct 25 2021
Instituting a cybersecurity program can be challenging as the digital transition in health care means more information from across an organization is stored online.
The operational needs of a facility, as well as interoperability regulations, often prioritize speed and accessibility of information over information security. Additionally, many facilities use a common network that integrates multiple aspects of clinical systems, medical systems, business systems, physical security and building management.
A new Quick Safety advisory from The Joint Commission, “Organization-wide cybersecurity: Creating a culture of defense,” provides safety actions and resources to help health care organizations prepare for and repel a cybersecurity event.
Building a culture of cybersecurity, or a human firewall, requires shared awareness of cybersecurity threats, including evaluation of the types of threats that exist, and incorporation of preventive strategies at all levels of a health care organization. Recommended safety actions in the advisory include:
Leadership’s role in a culture of cybersecurity
- Create a culture of cybersecurity that is top down.
- Make sensitivity to cybersecurity threats and organizational preparedness part of the way the organization performs its work.
- Build a human firewall by requiring staff awareness of cybersecurity vulnerabilities at all levels of an organization.
Staff education and training
- Establish training programs for all staff and not just for clinicians. Include frequent refresher courses.
- Periodically evaluate staff to ascertain whether they appropriately respond to “test” cyber challenges.
- Train staff to anticipate non-conventional intrusions.
Emergency management
- Adopt the preparedness perspective of “when” not “if” a cybersecurity incident will occur.
- Incorporate responses to cybersecurity attacks into an organization’s emergency preparedness plan.
- Communicate necessary reporting and disclosure for any data breach.
IT security team resources
- Utilize available free resources from reputable sources.
- Invest in security tools and resources when needed.
Several resources from government security agencies and other organizations are included in the advisory – providing an initial checklist to measure cybersecurity preparedness within health care organizations.
For more information click here.