In Healthcare, we talk about how important security is, all the while secretly hoping and assuming that, as an organization, we’re in compliance and have all the appropriate safeguards in place. When discussing compliance, at the very least this refers to the baseline set by the HIPAA Security Rule and the many contractual obligations we have, including Business Associate Agreements (BAA), being a Covered Entity and confidentiality clauses.
Typically, the way security has evolved and grown up in organizations has been piecemeal and bottom-up. As we deployed new components of our infrastructure, we would integrate them into the environment, adopting it to the standard the individuals doing the deployment understood. We assumed this approach would ensure the continued safety and protection of our data, intellectual property and other assets. The challenge with this approach is two-fold. It assumes the existence of both an enterprise security plan, which all know and understand, and a process by which we periodically review our company’s environment for adherence to that plan. To further complicate matters, the enterprise security plan should be based upon business, legal and regulatory requirements, published and generally accepted best practices and accepted risk. The latter refers to management conversations that compare the cost of doing something and the potential future cost of not doing it and dealing with the issue if it arises.
To further illustrate the last point, with the enactment of the HITECH act and clarification of many things relating to both privacy and security, risk management has taken on a greater importance and should be a topic of interest for senior executives. As an example, there was a recent article about a New England firm which experienced a breach. An employee’s laptop was stolen from their car. The laptop in question contained PHI. The firm ended spending upwards of $300,000 in fees and hundreds of hours of staff time to address the breach. If one breach is $300,000 plus staff time, how does that compare to the cost of encrypting and monitoring all devices that exist off-premise?
My question to you is how does your organization manage Security and its risks? Do you have a governance process in place, is it comprehensive, requirements driven, with the risks communicated, understood and mitigation plans developed and reviewed?
In Part 2 of this blog, I’ll provide ideas and suggestions on how to improve the management and governance of Security, allowing it to come out of the closet and become better appreciated, understood and accepted by all. A well governed and managed Security Plan can become an asset and differentiator when competing for new business, as well as retaining existing.