The good news? Healthcare is getting more serious, and more informed, about data security. Eighty-five percent of healthcare providers have discussed cyber security at the board level, according to a cyber risk study conducted by KPMG, and 69 percent of healthcare organizations have a formal incident response plan for cyber attacks, according to the Ponemon Institute study.
A data security framework is not a modest undertaking, but the following four steps are agreed to be imperative to the process:
1. Educate yourself and your institution at a high level. Make data security a board- and management-level priority that permeates throughout the organization. And fully understand the implications of postponing your data security position any further.
2. Discover and decide what threatens your organization specifically. Threats vary among different types and sizes of healthcare organizations. While criminal attacks may be the most dangerous threat against large health systems, employee negligence is still the most common type of breach, and may be a top priority for organizations like physician groups or home care agencies. Audit your organization's processes, technology capabilities, standards governing vendors and employees, and more. In many cases, an outside assessment is the best way to get an accurate and valuable perspective on your data security position.
3. Allocate resources. Cementing your data security position should not require a bloated budget. “I see organizations spend millions on cyber security and have an utterly ineffective defense, and then I see organizations that spend pennies and have a very effective defense,” Williams says. That said, Short recommends determining the resources that are necessary, not the resources that are available, to getting the job done. “There's a big enough gap there in most organizations to demonstrate that they need to up their game,” Short says.
4. Design a response plan. Even when organizations put forth their best effort, data breaches will occur. Most experts agree—it's not a matter of if, but when, your organization must handle a cyber incident. The key is having a response plan in place that involves the following stakeholders: legal counsel, compliance officers, public relations, your cyber security partners, information security, and in many cases the CEO and CFO, who should be present to fully understand the evaluated risk and exposure.
It's both cost-effective and smart to rely on outside standards such as HITRUST (developed by a cohort of leading healthcare organizations) to guide your organization through these steps—and at every point of change in your organization's future. Not only does this allow your organization to focus on patient care and services, it also helps your organization stay up-to-date in assessing and addressing new threats that arise every day.