The Joint Commission Issues NewQuick SafetyAdvisory on Building a Culture of Cybersecurity

Instituting a cybersecurity program can be challenging as the digital transition in health care means more information from across an organization is stored online.

The operational needs of a facility, as well as interoperability regulations, often prioritize speed and accessibility of information over information security. Additionally, many facilities use a common network that integrates multiple aspects of clinical systems, medical systems, business systems, physical security and building management.

A new Quick Safety advisory from The Joint Commission, “Organization-wide cybersecurity: Creating a culture of defense,” provides safety actions and resources to help health care organizations prepare for and repel a cybersecurity event.

Building a culture of cybersecurity, or a human firewall, requires shared awareness of cybersecurity threats, including evaluation of the types of threats that exist, and incorporation of preventive strategies at all levels of a health care organization. Recommended safety actions in the advisory include:

Leadership’s role in a culture of cybersecurity

• Create a culture of cybersecurity that is top down.
• Make sensitivity to cybersecurity threats and organizational preparedness part of the way the organization performs its work.
• Build a human firewall by requiring staff awareness of cybersecurity vulnerabilities at all levels of an organization.

Staff education and training

• Establish training programs for all staff and not just for clinicians. Include frequent refresher courses.
• Periodically evaluate staff to ascertain whether they appropriately respond to “test” cyber challenges.
• Train staff to anticipate non-conventional intrusions.

Emergency management

• Adopt the preparedness perspective of “when” not “if” a cybersecurity incident will occur.
• Incorporate responses to cybersecurity attacks into an organization’s emergency preparedness plan.
• Communicate necessary reporting and disclosure for any data breach.

IT security team resources

• Utilize available free resources from reputable sources.
• Invest in security tools and resources when needed.

Several resources from government security agencies and other organizations are included in the advisory – providing an initial checklist to measure cybersecurity preparedness within health care organizations.

For more information click here.