We were delighted to attend the Virtual National HIPAA Summit this past March. Our Solutions Advisors were able to meet with some of you and discuss your HIPAA and cybersecurity needs, and your feedback is always valuable in guiding our decisions.
Two of our security experts were also in attendance at the summit as presenters – Barry Hofecker and Brian Murphy shared their thoughts on Risk Management at a mini-summit during the event. For those of you who were unable to attend the summit or their lecture, we’re making their key takeaways available here, and a full-length previously-recorded version of the presentation is linked at the end of this article.
Often when working with technology managers and executives in healthcare, we hear about difficulties integrating a cybersecurity program at all levels of the organization: there’s no buy-in from leaders, and practitioners and staff fail to adhere to security policies and procedures. Taking a risk-based approach to information security will align your program with business and operational goals. Risk Management can help you communicate to your organization that cybersecurity relies on people and processes across departments, not just technology.
In our experience, cybersecurity risk generally falls into one of those three categories: people, processes, and technology. There could be nonideal behavior in how a specific staff member handles patient data. There could be gaps in the training or planning around information security, or there could be vulnerabilities in the hardware or software you’ve adopted.
To address risks among people, take stock of your communication style. Just as medical providers communicate health risks to their patients in simple, non-technical terms, you should communicate cybersecurity risks to users without jargon. Frame these risks as behaviors with consequences: “if you leave this workstation logged in, we could lose patient data and get a HIPAA violation.” Consider implementing role-based security training, limiting training materials to what they will likely encounter over the course of their regular activities; staff members will retain crucial information better if they’re not overloaded.
Manage risks in your processes by consistently refreshing trainings and policies. IT managers should incorporate your organization’s security requirements into in-service training, and you should repeat the cybersecurity training on a regular schedule. These requirements and policies should also be updated frequently to reflect the ever-evolving threat landscape.
Assess technology risks every time you bring in new hardware or software as part of your vendor evaluation. That is not to say any service that has any vulnerability should be rejected – you want IT to enable your organization to do more. You should evaluate the business or operational efficiencies provided by the new technology against the likelihood of an exploit and the scale of its impact. Like your policies and procedures, your systems should be reevaluated on a regular cadence. New vulnerabilities may be discovered, or software versions may lose support. As technology moves forward, so should you.
Ultimately, Risk Management should not fall solely with the IT department – ownership and execution should span from C-level to entry-level across different functions. Developing a risk-based cybersecurity program should allow you to keep your systems secure while empowering your organization to provide superior patient care.