A successful security program is all about managing risk.
|By: Tod Ferran
Security isn’t going to happen if the C-suite isn’t involvedNate Russ, Regional Director of Northeast Healthcare at Symantec, explained that those involved with security must show why security is a strategic move from a business standpoint in order to get funding. If business leaders don’t see the urgency, why would they boost your budget?
He also pointed out the importance of leveraging compliance exercises for security budgeting, further expounded upon by John Halamka, CIO of Beth Israel Deaconess Medical Center. Halamka explained a test he conducted on his workforce members where he disseminated phishing emails to test phishing knowledge. Each workforce member who clicked on the email, represented a compromise to the business and a potential breach of data. Halamka made sure to add that the decision wasn’t an IT initiative. It was a business initiative overseen by business leaders.
I can’t stress the concept of involving corporate leadership enough.
Security is a cultural problem within the business. It’s not just an IT problem.If your security and risk management is going to succeed, it’s because everyone at the organization is on board
Like SecurityMetrics’ CEO Brad Caldwell always says, “Security isn't just technical, it's a mentality within an organization.”
See Also: HIPAA and the Status of Healthcare: What C-suites Should Know
Stop thinking you are immune to compromiseIn Linda Sanches’ presentation about OCR audits, she kept stressing the vulnerability of the healthcare industry. The ‘this could happen to me’ mentality should be felt by all providers and motivate them to strengthen their security posture.
The idea of undergoing a breach tomorrow is terrifying. What’s even scarier is not being prepared to deal with it. I counsel all my clients to create a proactive (vs. reactive) breach plan. This is easily done as you find your risks in your HIPAA Risk Analysis, and create your Risk Management Plan.
Your security strategy needs to be risk-basedMy favorite idea at the conference was presented by Jim Routh, CISO at Aetna. He said building a security program based on regulations is not enough. It must be a risk-based program.
Help us measure healthcare security and compliance. Take the survey.
As a HIPAA security auditor, I deal with this problem a lot. Many healthcare providers struggle to complete the HIPAA requirement bare minimum. That’s not really the point of HIPAA or any other security regulation for that matter.
If you’re really concerned about security, about your patient’s data (which extends to their health and safety), and about your reputation, go beyond what’s required in government mandates.
What were your favorite parts of the conference?
Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.