Skip to Content
Back

Implementation of Information Security Management Systems | Management Responsibility

Sustainable progress is linked to our ability to ensure information security and protection of data whether at rest, in use or on the move. At the same time, the dependence of the healthcare organisations’ business processes on the proper deployment of secure digital platforms and their protection from subsequent exposure to cyberspace risks cannot be overemphasised.

Information security is a strategic choice and starts with unequivocal support of senior management. Support includes making resources and budget available for network and information systems security, together with commitment of senior management to information security as an imperative for the organisation, inspiration and nourishment of a cybersecurity and information security culture that starts with each individual and extends over all operational areas in the organisation. All staff must be aware of the cybersecurity risks and their role and responsibilities in containing them. The human resource department also plays an important role in the dissemination of the new culture for the existing and the new members of the organisation.

Critical processes in an organisation that provides health and care must duly consider cybersecurity as a key design element and ensure it is aligned with the organisation’s governance strategic management and business continuity planning. In pursuit of this alignment, top management and CISOs should design appropriate measures that include identification and prevention of risks; protection; detection and reaction but also training and awareness raising; access control; functional segregation and organisation; and governance and elaboration of a set of metrics to assess their effectiveness in practice.

In order to introduce a sustainable information security management system in any healthcare organisation, it is advisable to introduce certain roles in the organisational structure or enhance current roles with new responsibilities and authority. It is crucial that responsibility for information security starts at CEO level, not least because of its significant impact on any organisation’s operations and reputation. Information security is also an enabler, particularly in the digital transformation of healthcare. The possibility of introducing further automation and cost-effective processes (anything from surgical robots to remote patient care, patient workflows and administration of medicine) needs assurances regarding patient safety and, as a consequence, a high level of information and systems security.

Furthermore, it is advisable to introduce roles for an ‘Information Security Architect’, who is responsible for oversight over the design of all technologies, systems and processes related to information security, and an ‘Information Security Manager’, with respective responsibilities in terms of operations. These two roles should have the authority to examine every aspect of the organisation and its information systems and processes, and introduce measures aimed at increasing the overall information security.

non Curabitur nunc Praesent suscipit tristique vulputate, elementum