*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.
Get my free SecurityMetrics HIPAA GuideDownload now
“Compliance officers need to better understand these risks, and then find ways to convey this information to the executive team.”
Healthcare security gaps often stem from communication issues. It’s common to see executives and practice leads who aren’t listening to their staff about their current state of compliance and security. Decision makers might not understand why it’s critical to supply resources for security, or staff might not understand how to explain their staffing and budget needs to senior management.
These organizations typically need to outsource their security efforts or engage information security consultants to obtain solid security advice because they don’t have in-house knowledge or experience.
Budgets need to place more emphasis on security. I’ve seen large organizations spend hundreds of thousands of dollars on new medical equipment, then balk at an important security tool costing only a few thousand dollars. Some make the argument that equipment saves lives or improves patient well-being, but a breach of the privacy and security of healthcare information can have devastating real-world effects.
Stolen information can result in financial or reputation al ruin, on top of whatever health issues a patient might be dealing with. Systems hit by ransomware can mean that lifesaving medical details in a patient’s records aren’t available when needed. Medical devices, if breached, can negatively affect a patient’s healthcare experience or even result in death.
Privacy and security officers need to understand and explain these risks to the executive team. Often, a third party can help add credibility to get executives to commit the appropriate budget and personnel resources to adequately secure PHI.