Information Governance for Healthcare Institutions

Information governance is nothing new, but for it to be effective, it requires understanding, flexibility, and collaboration between a variety of teams and departments. Fortinet’s Susan Biddle offers her insights into the role of information governance in organizational security and how healthcare organizations can adapt.

Can solid information governance boost security for an organization? If so, in what ways?

Security is all about protecting the critical assets and intellectual property of an organization, while maximizing their value. So, yes, information governance is a critical component of security. And vice versa.

Are there specific aspects of information governance that have the greatest impact on security? If so, what are they?

Information governance includes Accountability, Integrity, and Protection, combined with Compliance and Availability.

Accountability includes processes to help you take inventory of your data, so you not only know what you are protecting, but who has access to it.

Integrity is focused on ensuring that critical data is not tampered with. For example, it needs to immediately flag the changing of a medical record that includes drug allergies, blood type, and so on.

Protection includes the systems and policies that are in place to defend data from breaches or leaks, whether intentional or inadvertent. A comprehensive data loss prevention strategy plays a critical role in protection.

Compliance refers to an organization’s ability to conform to the variety of regulatory requirements they need to adhere to, such as HITECH (HIPAA) to protect patient PII, PCI to secure financial transactions, or SoX, which covers such issues as records retention. 

Even availability is an essential component of security. If data isn’t available to medical staff, administrators, or even patients, it can have a devastating affect on the entire healthcare system. DDoS attacks and ransomware can bring down servers or lock down critical data, and organizations need a plan to deal with these challenges.

Who is generally involved with creating and maintaining an information governance program? Does this differ when heightened security is an objective?

Effective information governance requires collaboration between a variety of teams and departments. One group may be tasked with identifying and managing data and setting policies for what the company does with it. Others have responsibilities to securely input, access, and update data. IT and Security has the responsibility to distribute, back up, and protect that data. And the C-level team and board have to determine things like resources available for security and compliance, or to set lifecycle policies that can determine when and how data that is old or no longer useful can be purged.

Are there benefits to bringing in a 3rd party to evaluate or establish governance policies with an eye toward boosting security?

Absolutely. Healthcare organizations are in the healthcare business, not the security business. Very few IT or security teams include all the expertise required for complete information governance. Many companies, including large enterprises with deep staff resources, still use MSSPs to manage or oversee the development, implementation, or ongoing management of their security posture. When it comes to security, a second pair of experienced eyes is always valuable as they can often see things or propose solutions that the primary team might miss. Third party specialists can also assist with strategy, tactical implementation, and threat response.

Can information governance programs be “retrofitted” to increase security? If so, how should an organization approach doing so?

Information governance programs need to be flexible. Since today’s networks are constantly in flux, and user demands can shift from minute to minute, information governance needs to include a dynamic security posture. You can retrofit a current program with a static policy for the short term, but that is only a patchwork solution. At some point, every organization will need to strategically build or rebuild security from the ground up to meet the demands of their evolving networks, devices, and users.  For example, while IoT devices and traffic can be secured using solutions from Fortinet or other security vendors, a more permanent solution will be to build security right into the IoT devices themselves. That will require a combination of effective security planning and design on the part of security and IT teams, and holding IoT device manufacturers accountable for improving the security of the devices they sell.

Anything you’d like to add on the role of information governance in organizational security?

Accountability is key. For that to work, you need to understand what it is that you are protecting. And that is much more than just the data. You have to understand the policies, processes, and systems in place. You need to ensure that you have visibility into the entire distributed network, including cloud infrastructure, IoT, and even online applications and services that often store, process, and distribute data. We regularly see, for example, Healthcare organizations running rogue databases online that IT doesn’t know about, that violate policy or regulatory requirements, and that put patients and data at risk. Fortinet’s internal segmentation firewalls, advanced threat protection solutions, and new cloud services like FortiCASB, along with other application layer solutions, crawl the network and the cloud to discover and automatically resolve these problems.

Also see our infographic on protecting patient health data: