At FSET, we have been working for some time with customers in the healthcare sector across Northern Ontario, be it providing support for the implementation of Ontario Health Teams, developing standards of privacy and security, or helping healthcare service providers improve the security posture of their information systems. To support this work, we have leveraged key IT security risk management frameworks from the National Institute of Standards and Technology (NIST), the Canadian Centre for Cyber Security (CCCS), and the International Standardization Organization (ISO). We also leveraged these frameworks to implement our own IT security risk management program.
This work has taught us two things. First, healthcare service providers are aware of the threats and risks to privacy and security in digital healthcare service delivery. Second, there is no single, common approach for them to follow to mitigate these threats at acceptable levels of residual risks.
Recent data breach reports are unequivocal: healthcare information systems are being breached at an alarming rate by increasingly sophisticated cyberattacks, and the costs of breaches in healthcare tend to be higher than in any other sectors. There is therefore urgency to come up with a practical solution to reverse these trends.
To this end, we propose in this blueprint a seven-step process to develop and implement a security standard for healthcare information systems. The overall outcome would be a common approach to protect privacy and security, one that would help ensure safeguards that are fit for purpose while promoting security compatibility and interoperability within and between healthcare service providers and their information systems.