security budget

When it comes to security, many healthcare entities are at a loss on what to budget. 

By: Brand Barney
How much do you budget for data security? $1,000? $30,000 . . . more? Unfortunately, many healthcare organizations may not be budgeting as much as they should to protect their sensitive data.

SEE ALSO: How Much Does a Data Breach Cost Your Organization?

One of the reasons healthcare entities may not have much of a security budget is because they aren’t sure what security should entail. Here are five security measures you should consider in your budget:
security budget
Let’s look at these in more depth:

Vulnerability Scanning 

Whether your organization is large or small, you’re going to have vulnerabilities in your systems. Having vulnerability scanning can help you find potential security holes in your network, firewalls, devices, and more. Make sure you find a vulnerability scanner that fits your organizations’ unique needs.

SEE ALSO: 10 Qualities To Look For When Selecting an Approved Scanning Vendor

Training and Policy development:

Your employees may be among the weakest links in your organization’s security. Methods like social engineering, or “human hacking” are becoming more popular because it’s a fairly easy way to gain access to Protected Health Information (PHI).

Employees must be trained quarterly, if not monthly on policies and procedures, combatting social engineers, and upholding security measures. Taking the time to train your employees consistently and effectively is well worth the cost.

Need help training your workforce members? Check out our customized HIPAA training.

Risk Analysis and Risk Management Plan 

These two security elements are required in all healthcare entities whether they’re small or large.
  • A risk analysis is a lot like a "physical” that identifies risks, threats and vulnerabilities within your organization, systems, and network. It includes things like scope analysis, data collection, risk level, vulnerabilities/threat identification, etc. 
  • The Risk Management Plan (RMP) works through issues discovered in the risk analysis and provides a documented instance proving your active acknowledgement (and correction) of PHI risks and HIPAA requirements. It helps you manage potential vulnerabilities found in your risk analysis. 

Penetration Testing

Penetration tests are a more robust and in-depth element of security, and the information they provide is very valuable. Penetration testers search your security, looking for security holes and trying black hat methods to “hack” your organization.

While this service is more costly, it does give your organization a more in-depth analysis and helps minimize potential data breaches.

See Also: How Much Does a Pentest Cost?

Onsite Audits

Onsite audits can be pricy (costing anywhere from $5,000 to well over $100,000). With an onsite audit, an auditor comes directly to your organization and performs an audit on your security. They assess everything in your organization and make sure you’re fulfilling the requirements in the HIPAA Privacy Rule and the Security Rule. Onsite audits are good if you need more help with HIPAA compliance.

Get an Onsite HIPAA Audit from our expert auditors! 

Potential security budget

The following are estimates of possible budgets for small and medium/large covered entities.
Cost of HIPAA

Small covered entity 
  • <$1K = Vulnerability scanning 
  • $1-2K = Training and policy development 
  • $2K = Risk Analysis and Management plan 
  • $3-5K = Total 

Medium/large covered entity
  • $1K = Vulnerability scans
  • $5K = Training and policy development 
  • $5K = Penetration testing 
  • $20K = Risk Analysis and Management Plan
  • $40K = Onsite audit 
  • $71K = Total
SEE ALSO: How Much Does HIPAA Compliance Cost?

Keep in mind that this budget doesn’t include remediation security measures such as:
  • Firewalls
  • Encryption
  • Updating systems and equipment
  • Breach protection

Healthcare budgets should have more emphasis on security 

I’ve seen many large and small organizations spend hundreds of thousands of dollars on new medical equipment, and then balk at an important security tool costing only a few thousand.

SEE ALSO: How Healthcare Security Complacency is Killing Your Organization

Some make the argument that equipment saves lives or improves the well being of patients. But what happens to your patient’s well being when you lose their PHI and an identity thief destroys their credit, or has procedures done under their name, health plan ID, or SSN?
Having the proper security budget protects not just your organization, but your patients as well.
Trust me, when it comes to security and well being of your patients, having a solid security budget is well worth the cost.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

Read the SecurityMetrics HIPAA Security Rule Report