You are here

The Risk You're Taking: Not Having a Cybersecurity Strategy


Data security in healthcare is a topic that is widely debated and discussed, yet managed and implemented inconsistently across organizations. On one end of the spectrum, the management of ePHI (electronic protected health information) is left to IT to figure out. IT department resources are often proficient technically, but lack the regulatory knowledge necessary to take proactive measures. On the other end of the spectrum, organizations designate security officials who manage data security from a strategic level. A vast majority of organizations fall somewhere in the middle. Many do not have a designated official—an Information Security Officer (ISO). In fact, four out of 10 healthcare organizations do not have an ISO.

The lack of an ISO is frightening. What should be even more alarming is that many organizations lack an information security strategic plan. Those that do may have a plan that is ineffective or not up-to-date. As a result, information security lacks focus and consistency across the enterprise, and leads to a greater likelihood of a security breach. If organizations continue to view strategic planning as impractical or unnecessary, then they are less likely to effectively manage information risk. (Health IT News)

Healthcare is unique among economic sectors in its breadth and depth of valuable information. Health information includes personally identifiable data such as Social Security numbers; financial information (e.g. credit card numbers and bank accounts); protected health information, including high-profile targets; business intelligence; intellectual property (e.g. medical research); and national security information related to emergency preparedness. Each one of these data sets is heavily targeted by cyber criminals. “Hospitals and health systems are the only organizations that may possess all these data sets in combination, making them exponentially valuable” according to John Riggi, Senior Cybersecurity Advisor, American Hospital Association.

The U.S. Department of Health & Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) is progressing toward finalizing the Trusted Exchange Framework Common Agreement (TEFCA), requiring covered entities to “promote interoperability.” Organizations need to be prepared to comply, but also to align any strategy for greater interoperability to be in compliance with HIPAA and other state and federal regulations. Technology remains imperfect in the area of interoperability because, for example, it’s difficult to track and integrate things such as patient consent. Since the ONC remains silent on how to implement this effectively, it is incumbent upon organizations to create a strategy to remain in compliance with all facets of regulatory change, and to do so securely.

How do you prepare for new regulations—and protect your organization and your patients —while allowing your clinicians to access the information they need? Having an ISO as your designated security official to focus on the strategy is a step in the right direction, and will help protect your organization. For those organizations that may not want to hire a full time Chief Information Security Officer (CISO), a virtual CISO (vCISO) is a great option. The advantages of a vCISO are that you get top advisors with depth of experience in the field, at a lower cost. The vCISO can help you define your strategic plan and then help you implement it. What makes this both effective and desirable is that you get a strategy, someone to help execute it, and the ability as the client to control the cost. Consider the following:

  • The ISO role is hard to fill. And, due to salary requirements and organizational experience, supporting the function of an ISO is a difficult proposition. An experienced vCISO can fill this role at the fraction of the cost of a full-time staff member.
  • Organizations remain focused on “defensive” security. An effective vCISO will help move your organization from playing defense to creating a proactive approach to data security. The right partner will allow you to leverage the full power of its resources to understand your risks and create remediation plans.
  • A 2018 study by IBM reports the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148.90.

Protecting your data is serious business. It’s your job as an organization to ensure that you are in compliance with all the security laws governing your business and to ensure the highest level of protection for your most valuable assets. It’s not a matter of if a breach will happen—it’s a matter of when. Having the necessary security measures, including your designated security official, is key to surviving it.