3 minute read
COMPLIANCE VERSUS RISK MANAGEMENT: WHAT’S THE BETTER CYBERSECURITY APPROACH?
By Chris Wright
Gone are the days of floppy disks, dial-up modems and flash players. So why would these antiquated or obsolete technologies still be covered in an organization’s cybersecurity policies? If I ask a company how it is protecting its digital systems, and the team drags out a dustcovered, three-inch binder of protocols, it begs the question, “What’s even the point?”
Far too often, I see organizations that view cybersecurity as a necessary evil. They believe these practices are burdensome items on their to-do lists, only needed for government compliance. This adversarial mindset toward proactive cyber hygiene can put entities at risk for breaches or attacks. As I’ve witnessed, this leeriness can also result in stalled or uninformed responses if or when incidents occur.
Understandably, the health care industry recognizes and is inundated with cybersecurity concerns. Whether multi-state providers or specialty clinics, these entities have access to sensitive, personal information. That makes them a treasure trove for potential attackers. Yet even they can be guilty of only doing the work to check the compliance box, especially when expanding beyond the Health Insurance Portability and Accountability Act (HIPAA).
In some cases, health care organizations believe or have been counseled incorrectly only to deploy the cybersecurity protocols needed to meet basic government regulations. Thinking they’ve got their bases covered, they don’t strengthen or tailor their tactics to address potential gaps or risks within their companies. And that leaves them — and the patients and families they serve — vulnerable.
Fortunately, health care entities don’t have to decide between compliance and risk management. They can adopt mandated practices and invest in cyber hygiene. The key to shifting from this either-or mentality to a strategic approach is to recognize these following cybersecurity truths.
Compliance is a baseline. In health care and other heavily regulated industries, compliance is often confused with security. Compliance is the minimum. Take HIPAA or the Health Information Technology for Economic and Clinical Health (HITECH) Act as examples. These regulations are starter packs, pointing entities in the right direction about what protocols or recognized security practices to consider. Organizations should conduct risk assessments to modify, shape and strengthen these tactics to address their specific threats.
HIPAA isn’t the be-all and end-all of cybersecurity practices. HIPAA was signed into law nearly three decades ago. Since then, technology has dramatically changed, leaving some cybersecurity-related regulations woefully outdated. Because it takes an act of Congress to update, these issues aren’t always addressed. These discrepancies and the law’s unwieldy language can lead to confusion among health care entities over what practices to implement.
Cybersecurity templates don’t cut it. A simple Google search will confirm how easy it is to download and edit a cybersecurity policy document. The jargon and legalese may make it sound appealing, but these templates offer health care organizations little to no protection against cyberattacks or breaches. That’s because these standardized documents can’t cover every risk for every industry. Entities should determine their pain points and develop custom strategies to fill those potential gaps. Essentially, they should ask themselves, “What threats exist within our organization, and what practices can we implement to protect ourselves?”
Cybersecurity requires time and effort. Establishing and maintaining a strong cybersecurity posture requires organizational buy-in and support. Surprisingly, a fair number of breaches occur due to internal process failures. For example, say an employee is tasked with contacting patients to communicate care or billing information. Without direct oversight or internal quality assurance, she sends a mass mailing with a spreadsheet attached. The result is that personal health information is inadvertently distributed and must be reported as a breach.
Organizations can prevent incidents like these by better planning, documenting and strategically executing their cybersecurity processes.
Effective cybersecurity is a process. Cybersecurity documents should be concise, well-understood and regularly reviewed by key staff members. They aren’t designed to sit on a shelf or in a filing cabinet. The longer they languish, the more time it takes to revamp them. Health care entities should update their processes annually or as organizational changes occur. Often, all it takes is 30 minutes of minor tweaking to ensure the policies reflect the current organizational structure and security landscape.
I often say, “You can’t put a screen door on a submarine and not expect it to fill with water.” Sure, it’s a protective barrier, but it wasn’t designed to stop water, nor does it meet your specific needs in this case. The same goes for cybersecurity. For the health care industry, checking the boxes to avoid government penalties has long been the modus operandi. But complying with federal regulations is only one piece of the puzzle. Instead, health care entities should take a strategic approach — balancing compliance with risk management — to safeguard their systems and those they serve.
Christopher Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansasbased firm providing tailored cybersecurity, IT and security compliance services. For more information, visit SWTechPartners.com.
