IT Insider Blog

A popular Chinese proverb says that the best time to plant a tree was 20 years ago. As businesses deal with constant stresses of change, many will be looking ahead to further mitigate disruptions to their business. Whether it’s a data breach or a localized natural disaster, planning for such events can be a daunting task. Business interruptions are stressful and making critical decisions during a crisis is usually less productive than laying out a plan in advance. 

A mindset and an attitude of preparedness runs much deeper than responding to an individual crisis but creates a path forward toward building resilient, scalable, and flexible business plans to adapt to a wide variety of changing conditions well into the future. Businesses thrive on being able to create more opportunities and continuity/disaster planning can bring clarity to many situations especially in times of uncertainty. 

After spending years analyzing data security and compliance for healthcare providers we have noticed it’s always the administrators we work with that may all be but unaware of the reasons why so many of their staff are circumventing the very policies meant to protect themselves, their patients, and the entire hospital network. These actions further weaken defenses against cyber threats and increase the likelihood of a compromise with protected data.

Internal IT remains as a critical role to the success of healthcare organizations. Evolving technology and the widening gap of responsibilities place excessive burdens on the IT department. Healthcare IT departments have moved well beyond solving daily technology problems to help shape executive decisions around areas of finance/budgeting, data security, regulatory compliance, and more. This unique development of the IT engineer’s role has brought them up from the proverbial basement to the C-Suite as technology now intersects with all other aspects of business operations. The quick evolution of the IT role has undoubtedly created a winding path for technology professionals to try and adapt their skill-sets to include a wider range of organizational responsibilities. Executives find it challenging to know what gaps exist between technology operations and business operations and how to reconcile the two. Addressing these challenges will often require more of a collaborative approach which creates long term stability in the IT department and supports business objectives.

Jill is the administrator for a 25-bed rural hospital in a remote part of Texas that receives patients from almost an hour away in every direction and serves as the counties only hospital. A discussion with Jill around cybersecurity practices provides insight into the various reasons why administrators may not be aware of the danger that lies just beyond their firewall. Surprised by the implications of her internal network password policies not meeting standards, Jill states “Our hospital is one of the most remote in the state, how and why would we be targeted by hackers?” She is not alone in thinking that her geographical location will diminish the odds that their facility will be vulnerable to a cyber-attack.

It is common for healthcare executives to report that securing their data is mainly focused around meeting compliance objectives so they can qualify for federal incentive programs. While participation in incentive programs is meant to increase meeting compliance objectives, they simply fall short in addressing the nuanced individual business practices that fall outside the scope of compliance measures. Compliance standards in and of themselves do not provide detailed guidance or a methodology to ensure protection of ePHI data.

As the number of compromised ePHI data continues to rise, healthcare providers are not waiting around to try and identify risks. 31,611,235 healthcare records were breached in the first 6 months of 2019, which is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). – According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, cites HIPAA Journal.