How to Build a Compliant, Secure Healthcare Organization

What does a compliant, secure healthcare organization look like? The reality is that a compliant, secure healthcare organization is going to look different based on size of business, type of healthcare environment the organization operates in, and the organization’s risk appetite.

Each organization has the ability to lay the groundwork for future compliance and security. Simple steps facilitate the building of the desired culture. These include:

Development of a defined organizational chart and identification of a point person to handle compliance issues.
Written policies and procedures for key processes and controls, mapped to requirements such as HIPAA Privacy and Security, in order to facilitate consistency and continuity.
Routine staff and leadership education on the current regulatory environment and the evolving threat landscape.
Identification of key risks to the organization’s continuity and business model as well as to patient health information.
Definition of the organization’s risk appetite by specifying what level of risk is acceptable and what level of risk is too high.
Definition of the information technology environment in which the organization will operate (including all cloud environments and software as a service).
Identification of disrupters which may materially impact the operational effectiveness of the organization.

Each of the above elements become part of the whole picture of the organization and are the foundation upon which a compliant healthcare organization should be built.

One area that many healthcare organizations fail to consider when establishing the above building blocks are the cyber risks to patient health information. As technology becomes more prevalent, information and electronic medical records platforms are moving to the cloud, and networked medical devices are becoming the norm, leading to an increased risk of cyber incidents.

As noted in the 2018 IBM/Ponemon Cost of Data Breach report, the average cost of a data breach in the U.S. is $7.91 million but can vary widely depending on the industry. The cost of a single breached healthcare record is at its highest point ever – $408 per record. The cost includes items such as legal fees, incident response, notification costs, loss of reputation, loss of business, remediation costs, etc. Cryptolocker and ransomware incidents are considered reportable breaches by the Office of Civil Rights (OCR) unless forensic examination can demonstrate that sensitive data was not accessed nor infiltrated during the incident.

The reputational harm, harm to your patients or business partners, and other distractions caused by a cybersecurity incident can devastate the operations of any healthcare organization. Cybersecurity is not just about the confidentiality of sensitive information, it is also about maintaining the integrity of your information system operations.

For more information on how to build a compliant business while integrating cyber security and fraud considerations, contact Gui Cozzi, Cybersecurity Practice Lead at 502.589.6050.