Healthcare Perspectives


Organizational Information/Cybersecurity: Who's in Charge?

Jul 27, 2017
By: Rick Ensenbach

This article was updated on 4.12.2018. 

Here’s a sobering statistic from a recent Ponemon study: 27.7% of organizations surveyed believe they will experience a recurring material data breach over the next two years — and the top two culprits were a lack of cybersecurity staff and a lack of overall employee training.[1]

Cybersecurity is a significant challenge for smaller health care providers, but building a comprehensive and organizational risk management program is essential to keeping information private, readily available to those who need it and safe from tampering.

Chiefly Business

Information security isn’t just about securing doors, managing firewalls or resetting passwords, and more importantly it isn’t about adding this responsibility to IT. Information security needs to be deeply rooted in your organization’s culture and business processes. It involves the creating, implementing and maintaining policy and processes; monitoring performance and compliance; educating the workforce; and advising senior leadership of risks that could negatively impact the business and patient safety. Information security goes well beyond technology and the IT department; clearly, it is an enterprisewide risk management issue.

Success requires a “ranger” who understands how to balance the needs of the business and patient safety with regulatory requirements and acceptable practices based on a solid foundation of risk management. Yet 84% of health care organizations do not have a cybersecurity leader, and only 11% plan to hire one in 2018.[2]

A solid information security program protects physical and digital information, the places or assets information resides on and the people (workforce, business associates, etc.) who access it. Regardless of the size of your organization, this is a business-driven, organizational-focused, full-time job.

In fact, when you consider the number of responsibilities and the importance of getting them all right, the job of information security takes on a whole new meaning. Regulatory entities expect to see someone who’s in charge of and actively managing your information security program; your patients deserve nothing less.

In large health care organizations, that someone goes by different names: chief information security officer (CISO), information security officer (ISO) or chief security officer (CSO), to name a few. Yet they all represent the same thing to providers both big and small: that it’s important to have a knowledgeable leader in charge of all aspects of security and risk management. A leader brings expertise and a holistic, organizational perspective to security risk management, determines the overall objectives and priorities for information security and defines policies and procedures to reach those objectives.

Here are two more shocking statistics: Over 50% of health care organizations do not conduct regular risk assessments, and 39% don’t conduct regular firewall penetration testing.2 Hiring a dedicated ISO ensures these tests and assessments get carried out at the frequency they need to be. The ISO is also responsible for balanced enforcement, continuous monitoring and improvement and protection against the increased number of breaches and subsequent lawsuits that now name corporate officers and even members of the board of directors. Ideally, whoever holds the title of ISO should report to the senior-most person in the organization or even the board.

Smaller organizations with limited resources will find this kind of hiring decision difficult to make. But when weighed against the cost of breaches that put patient data and a hospital’s reputation or even survival at risk, the decision is easily justified. Globally, the average cost of a data breach at a health care organization is $380 per record breached, and this costs businesses an average of $7.35 million.[3] Threats are not subsiding either. As perpetrators of cyber crime, both external and internal, take the path of least resistance into smaller organizations that tend to have weak security, the threat of a data breach or other security event continues to grow. Your organization cannot afford to assume that a data breach will never happen to you.

Who Will Lead?

With a strong information security program and someone accountable for driving it, small health care providers can meet compliance requirements, avoid the costly and time-consuming need to repeatedly respond to incidents and breaches, reduce the risk of criminal and civil litigation and demonstrate credibility to win public trust and more patients in today’s tight market. After all, protecting patient information and ensuring its availability and integrity are simply additional ways to care for your patients.

Conducting regular security and compliance training for all employees, not just those in IT, and hiring an information security leader are essential steps to preventing cyber crime.

Are you ready to start? Contact Wipfli for more information on cybersecurity and how we can help protect your health care organization.

[1] “Cyber Security Skills Crisis Causing Rapidly Widening Business Problem,” Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), November 2017
[2] Q4 2017 Survey, Black Book Research, December 2017
[3] “Cost of Data Breach Study,” Ponemon Institute and IBM Security, June 2017


Director, Risk Advisory Services
View Profile
Healthcare Perspectives blog
Subscribe to Healthcare Perspectives