How to Navigate Cybersecurity Risk, Compliance, and Audit Requirements – For Healthcare Providers
Protecting sensitive personal health information has been a regulatory requirement and a sensitive topic in the healthcare industry for decades. According to the FBI, cybercrime grew by 400% during the pandemic. Total losses since 2016 have topped $43 billion from Business Email Compromise. It was reported by the Threat Intelligence team at the Health-ISAC (Information Sharing and Analysis Center) in November 2023 that business email compromise in healthcare alone grew by 279% in 2022.
While money and personal health information loss are impactful in healthcare, the stakes have never been higher considering the potential for operational impairment of critical systems, life-saving medical equipment, and the operational ability of healthcare professionals to do their jobs. Doctors, nurses, surgeons, lab techs, and many other important roles that support the healthcare industry have remained in frontline critical jobs during the global pandemic and other health-related events. Physician practices, hospitals, clinics, nursing homes, youth and family services centers, and more have been challenged to catch up on defenses and continuity plans to remain resilient through a cyber attack.
Some common challenges are sustaining adequate focus, managing competing priorities, preventing staff burnout, and navigating confusion between compliance and cyber risk reduction. Elaboration on solutions around each of these challenges could be a full article individually. In this article, I will focus on cyber compliance vs risk reduction and how to avoid common pitfalls limiting that can limit organizations’ success in meeting their goals.
I observe a fair amount of industry confusion within healthcare between HIPAA compliance, aligning cyber cybersecurity programs to control frameworks, and navigating expectations when deciding between available options for external audits (including independent attestations and certifications).
My hope in this article is to provide some independent and unbiased information to:
At the end of the day, senior leaders within healthcare must strike the right balance between managing cyber risk, maintaining compliance, and allocating limited resources and budgets within their organization. Use the information here to help make the best decisions for your organization.
Clarifying Misnomers and Misunderstandings
Healthcare organizations are subject to various operational and privacy laws and regulations, with one very prominent one in the United States being HIPAA (Health Insurance Portability and Accountability Act). HIPAA is not a new regulation – and it is probably long overdue for a substantive update (the last major update was in 2013, with some new changes proposed in 2020 that are not yet effective). Do you remember what technology and computing was like in 2013? If you do, you know there have been many transformative technological changes over the last decade that the regulations haven’t kept pace with.
However, many of the principles around protecting data remain consistent, and even without it being fresh or new, some organizations still need help with the basics. Others have put the majority of their focus on compliance and are missing important elements that are exploited in today’s cyber threat landscape (especially ransomware).
It is reasonable to assume that US healthcare organizations will use HIPAA as a North Star for compliance and the set of minimum requirements from a technical and cybersecurity standpoint.
Let’s start with my Top 5 misnomers and misunderstandings in healthcare and HIPAA compliance.
Options for Building and Improving Your Cyber Program (balancing risk and compliance)
Many companies we talk to are starting at different levels of maturity. At the top end, we encounter large hospital systems that have a fully staffed and dedicated cyber program built on standard frameworks, with excellent defined policies, processes, and technology. These programs are continuously improving and helping to make both compliance and good cyber hygiene for healthcare workers easier and more integrated into productive workflows.
Recommended by LinkedIn
While that scenario is ideal, and we often are involved in helping to take that program to the next level, we more often see programs that are earlier in maturity. At the far other end of the spectrum, smaller entities or health systems often give responsibility to an employee who has other duties as well. Others fully outsourced cybersecurity to a managed security service provider, where approaches and results can vary drastically. We also have seen organizations that have made contractual commitments to customers and partners that compliance, data, and organizational protection controls are in place that do not actually exist. While the situations can be somewhat understandable in some situations, they can be a significant gamble that jeopardizes not only business relationships, but HHS OCR (Health and Human Services – Office for Civil Rights) enforcement ranging from $100 to $50,000 per violation plus criminal penalties and imprisonment for violations that are deemed to have been intentional.
Regardless of where your organizational maturity, there is hope. The biggest opportunity and challenge in healthcare cybersecurity is defining a clear strategy that balances cyber risk reduction and compliance needs. This strategy should establish a realistic and prioritized plan of action that ensures the most important and impactful decisions and initiatives are sanctioned first, so your cyber program is an asset that enables your operations instead of impairing them.
A common pitfall for developing cybersecurity programs is attempting to “boil the ocean,” doing too many things and trying to prevent every risk scenario. This is one reason why burnout in the field is so prevalent. This situation is very common, and we have come across some poor performing programs that have a seemingly unlimited budget. But when they have very little focus or are trying to accomplish too much, they, they often accomplish less than organizations that have much less funding.
A related failure mode we see occurs when leaders and teams over-buy cyber technology and tools, believing that these purchases will rapidly reduce risk. While there are some great tools in the market, they typically aren’t very effective when they have 10% adoption across the organization while the tech team is off procuring and implementing the next tool. One of the largest gaps in cyber programs that we see is focus on effective and efficient processes to enable people and technology to accomplish the intended risk reduction goals. “Cyber Process Engineer” should be a key position in all programs. If many organizations spent half as much money and time on this as they often do on cyber tools and procurement cycles, they might be surprised on how effective they would become.
I never loved the executive saying “do more with less” in the corporate world. It was typical rhetoric during cost-cutting exercises that did more to annoy than to motivate staff. However, I would get behind the phrase “Do more with what you have before you ask for the next thing.” A close cousin to that mantra would be: “Let’s see what we can get rid of before we add. What is not working/effective/adding value?”
Here are 6 key takeaways for building, improving, and maintaining an effective cybersecurity program in healthcare:
Tips for Finding and Maintaining an Effective and Credible Audit Partner
Finally, the topic everyone has likely been on the edge of their seat for: picking their auditor! That sounds about as much fun as hoping for a “random” IRS tax audit selection or a three-hour follow-up visit to the dentist. With that said, if you are required have an audit conducted, who you entrust to help you on this journey can make a significant difference on how much pain your team endures. And the “right” answer isn’t the auditor that is the “easiest” or turns their head to avoid surfacing a complex issue. At the end of the day, you want to work with someone that is efficient, effective, transparent, and helps you work through issues promptly and without prejudice.
Top Considerations For Making an Audit Partner Selection
Top Warning Signs That You May Need A Change in Audit Partners
Hopefully, this has helped simplify the complexities of cybersecurity, compliance, and audits within the healthcare organization. If you have any questions or would like to have further conversations about the topics in this article, please reach out.
Head of Cybersecurity, Clinical Bridges | Board Member |Cybersecurity Advisor| An Artist| Motivator |Career Coach
5moInsightful!
Thank you for sharing. Insightful read, Aaron. The distinction between compliance and cyber risk reduction is crucial for healthcare providers.