Most healthcare organizations know they have to comply with the HIPAA/HITECH data security regulations. However, according to the most recent sweep of OCR audits, the number of healthcare organizations that are actually in compliance is alarmingly low.
But beyond obligatory compliance, keeping patient data safe is critical to the success of your business. Taking this tack — compliance for the benefit of your business — may help IT teams in the healthcare industry overcome the age-old challenge of convincing upper management that the current level of data security simply isn’t enough.
Let’s say you know that your patient data is not as protected as it should be from hackers and/or malware. And you’re aware you might be challenged to pass an OCR audit. Why is it so difficult to convince the powers-that-be that you need to implement a better data security solution?
The following realities may be part of the problem you are having:
• There is a general lack of compliance in the industry. Why be the one to go first?
• More visible factions are competing for the company budget.
• Unless there has been a major breach, it’s hard for upper management to imagine it will happen to them.
• There is a lack of knowledge as to how secure the network really is.
Building a business case for better data security
If you are responsible for data security in a healthcare facility, it behooves you to prepare a business case to take to management.
Here is what you’ll want to do to put together a compelling case:
Conduct a security risk analysis. A properly conducted risk analysis will identify the threats, vulnerabilities, and resulting risks that are specific to your healthcare operations. Essentially, you’ll learn what types of bad things are most likely to impact your organization and how bad they might be if they were to occur. Make sure you connect the dots for your management team so they can see the kind of exposure you are facing.
Give real-world examples. Collect data on major breaches that have occurred in the industry. The OCR provides details of healthcare data breaches involving 500 or more patient records on its ‘Wall of Shame.’ You can query the data by state, company type, etc. This can be a great resource to see exactly how healthcare companies (like yours) are ending up in the headlines.
Hire a monitoring service. Bring in the experts to help you. A monitoring service will reveal discrepancies in your network at any time, day or night. Cyber security professionals know what to look for and can recognize patterns that you might not see. Try it for a month and put the results in your report. (Some companies offer a 30 day free trial for this.)
Talk about the bottom line. Breaches tarnish company brands. Patients lose confidence. The stigma of a widely-publicized breach is hard to overcome. And on top of that, patients are becoming more savvy. They are demanding evidence that their personal information is safe if they share it with you. If you are unable to put their minds at ease, there are plenty of other places they can go.
Don’t forget about the facility
Network break-ins are not always online. Sometimes, thieves will slip into your brick-and-mortar facility and lift confidential information that doesn’t belong to them. And before you picture someone dressed in black and wearing a ski mask, look to your left and your right. Disgruntled employees have been known to purposefully corrupt networks and are sometimes persuaded to gain access to data that doesn’t belong to them.
The server room door should be locked, with limited access for authorized personnel only. Workstations should be situated for privacy, and depending upon the location of each, it might be a good idea to have the screen lock if it has been idle for a specified amount of time. Pay close attention to workstations that are rolling around on carts where any old passerby can see it. Confidential printouts should be shredded, and a strict procedure needs to be in place for disposing of equipment that is no longer in use.
All of this is fodder for your report. The more clear (and specific) you can be about what’s missing from your current data security solution and what the consequences will be, the more likely you will be able to get someone’s attention — and the budget approval you need.
Riddle is a practice leader at LBMC Managed Security Services.