Important but not Urgent
In many organizations, cyber security is perceived as one of those “important-but-not-urgent” issues that keep getting put off in deference to the pressing issues of the day. It’s not that organizational leaders are doing nothing. In most organizations, the basic pieces are in place. It is these very safeguards, though, that can give leaders a false sense of security, making them complacent about day-to-day risk management. For instance, how vigilant are you about each of the following:
- Reviewing the audit log from your EHR system for suspicious activity – and following up?
- Reviewing the network activity log and addressing any suspicious patterns?
- Ensuring that system and facility access for all departing employees is completed at the time of departure?
- Ensuring that all software patches are implemented asap after release?
- Regularly reviewing and addressing the issues identified in your Security Risk Assessment (we recommend at least monthly)?
- Conducting ongoing security training for all members of the workforce (not just once per year)?
- Applying sanctions to members of the workforce who put information security at risk with unsafe practices?
- Ensuring the security of new devices before deploying them on the network?
- Documenting and periodically reviewing all “security incidents”?
- Completing a new Security Risk Assessment after a major organizational, facility or IT change?
We know it’s hard to do all of this! It requires time, money, and knowledgeable staff.
A New Perspective
However, consider these to overcome three very common roadblocks to risk management.
Time – “I don’t have time… My staff doesn’t have time.”
Ask yourself, “Do I have time to deal with the fallout of a breach?” You will have to divert man power and spend time locating and correcting the breach, contacting clients about their potential risks, and deal with any governmental audits. Spending 1-2 hours per week delegating and following up on the issues above could greatly minimize your risk of a breach, the extent of a breach if one happened, and the fine should a breach or random audit occur.
Money – “It costs too much… Those costs shouldn’t come out of my budget – that’s IT’s responsibility.”
Whose budget will pay the breach remediation costs? One medium-sized medical practice (20+ providers) spent more than $1 million on patient notifications alone after experiencing a breach. Cyber insurance will cover some of the costs, but most organizations are under-insured and find themselves paying legal fees, increased operational costs, and fines while experiencing decreased revenues due to the negative reputational impact. It always costs less to prevent than to recover. Find the money to invest in information security before a breach occurs.
Knowledge/Skill – “I don’t know how… My people don’t know how.”
The OCR adheres to the general legal guideline that “ignorance is no excuse.” Numerous free resources are available, and multiple vendors offer relatively low-cost training courses for staff and compliance officers. There are also service providers that can provide monthly or quarterly cyber security support services if your own IT staff lack that expertise. Teach yourself, go to training, or find someone knowledgeable to help you. Don’t let ignorance keep you from protecting some of your organization’s most valuable assets – your clients’ information and your professional reputation.