Maintaining information and cybersecurity is a hefty undertaking for health care organizations and an even bigger challenge for smaller health care providers. But what about building a strong, comprehensive organizational information/cybersecurity/risk management program? One that can keep information private, readily available to those who need it, and safe from ongoing threats that continually evolve, are growing in number, and can originate internally or externally from anywhere in the world?
That’s an even greater feat, one that comes with even broader responsibilities that directly impact the business.
Too many health care organizations hold a narrow view of information/cybersecurity. Perspectives range from just physical/facilities security (“guns and guards”), to purely technology (it’s technology so it’s IT’s problem). Security responsibilities aren’t just focused on managing firewalls, maintaining security on network servers, changing passwords, and cleaning up computer viruses. It’s much more comprehensive. And it isn’t about handing off the duties to an IT person as another responsibility. It’s much more holistic.
The reality is information/cybersecurity needs to be deeply rooted in the organization’s workforce mentality and business processes, meaning there’s no easy or “silver-bullet” technology solution that ensures that patient and business confidential information stays secure, trusted and available when needed.
Instead, success—whatever your size—requires a “champion” who understands how to balance the needs of the business and patient safety with regulatory requirements and acceptable practices based on a solid foundation of risk management.
From planning and implementing policy and process, to educating the workforce and keeping senior leadership apprised of risks that could impact the business and patient safety, to monitoring performance and compliance, the concept of information/cybersecurity goes well beyond technology and the IT department. Clearly it is an enterprise-wide risk management issue.
Managing the kind of program necessary to protect information—paper or digital—as well as places or assets where information resides, in addition to the people (workforce, business associates, etc.) who access it, is a wide-ranging, business-driven, organizational-focused, full-time job regardless of the size of the organization. Regulatory entities expect to see someone who’s in charge of, and actively managing your information/cybersecurity program; your patients deserve nothing less.
Considering the critical importance of the job, the need for balanced enforcement, continuous monitoring and improvement, and the increased number of breaches and subsequent lawsuits that now include naming corporate officers and even boards of directors, the job is certainly a weighty one. Ideally, whoever holds the title of security officer should report to the senior-most person in the organization or even the board.
Smaller organizations with limited resources will find this kind of hiring decision difficult to make. But when weighed against the cost of breaches that put patient data and a hospital’s reputation or even survival at risk, the decision is easily justified. Today’s average cost of a data breach at a health care organization is estimated to be more than $4 million.[i] Add to this fact that the threats are not subsiding, but rather growing both externally and internally, and the position is further justified.
Who Will Lead?
Putting regulations aside, the protection of patient confidentiality and ensuring the availability and integrity of their health information, especially in their time of need, is not an option—it can be a matter of life and death.
Who’s your “organization’s” information/cybersecurity leader? It’s not an optional decision or one to be taken lightly.
[i] Ponemon Institute 2016 Cost of Data Breach Study.