It is common for healthcare executives to report that securing their data is mainly focused around meeting compliance objectives so they can qualify for federal incentive programs. While participation in incentive programs is meant to increase meeting compliance objectives, they simply fall short in addressing the nuanced individual business practices that fall outside the scope of compliance measures. Compliance standards in and of themselves do not provide detailed guidance or a methodology to ensure protection of ePHI data.
Compliance and data security programs by 3rd party vendors often fall short when they do not continually analyze and adjust for specific controls of each organization. An example of this is shown when a vendor is hired to perform a yearly Security Risk Assessment (SRA), which consists of generating a large report usually for a onetime exorbitant fee. This will leave internal IT and executives with the burden of sifting through a large report (usually 1000+ pages) with little insight into prioritization of identified vulnerabilities and gaps in data security. If vulnerabilities can be prioritized, then it may be found that there is no path or resources to adequately remediate those findings. Also bear in mind that an SRA report itself is a one-time snapshot of an entity’s assessment of risk, but in order to remain effective it needs to be incorporated into a process of ongoing investigation and remediation.
It is not recommended that data security and compliance remediation be solely delegated to internal IT as these individuals are often stretched to capacity in meeting the daily needs of end user’s, building IT projects, and ongoing management of IT infrastructure. Internal IT may also work with tools that are limited in providing the necessary visibility to understand data security gaps. When an IT department experiences turnover then critical information of these systems is often lost. A comprehensive data security program should go beyond merely meeting compliance objectives by creating a detailed road map of progress toward greater protection of data with measured outcomes.
A healthcare system is complicated and costly to manage and if we can proactively put in place measures that addresses vulnerabilities, then healthcare providers will be in a far better place to reduce their risk of being a victim to a cyber-attack. In many way’s bolstering security on the technology side can be easier than creating a culture of awareness through employee training and testing of organizational security practices. Employee training, testing, and retraining is paramount as it addresses the human element in data breaches. A report by Egress, a London-based security firm states that 60 percent of data breaches that occurred between January 1 and June 20, 2019 were the result of human error.
Mandry Technology developed a data security and compliance program specifically tailored to healthcare entities which goes beyond meeting compliance standards to track and measure progress of data security over time. This program unlike many out there in the market today combines sophisticated data analysis tools, certified security experts, employee awareness training/testing and a remediation team to comprehensively keep organizations continuously secure and compliant for a low fixed monthly cost that can be easily budgeted throughout the year.
2019 is on track to surpass last year’s 365 record number of reported data breaches in healthcare and analyst are predicting this number to continue rise every year.