Humans or HIPAA?
When it comes to healthcare organizations addressing the HIPAA compliance of their business, many feel prepared and comfortable, readily checking that “compliant” box. But addressing the human part of security falls by the wayside too often. Compliance and cybersecurity, which includes human security, both need to be a part of your overall strategic plan.
“If I have security, I’m ok with compliance, right?” No, but you’re not alone in assuming that addressing one will take care of the other. It is an easy mistake to make, and one that many healthcare businesses too often make. Compliance and cybersecurity work together to keep you up, running and protected from a technical and federal regulations standpoint, but address different components.
When This Doesn’t Mean That
HIPAA compliance will take care of the laws and regulations that you need to adhere to. Cybersecurity addresses the gaps or weaknesses in a business that makes that entity vulnerable to hackers. If a breach occurs, your HIPAA compliance will be addressed by government agencies to make sure you were in accordance, and this will protect you legally in some respects. So, in this regard, they work together to protect you, but cybersecurity must be your first line of defense.
With an increased value being put on healthcare data by cybercriminals, the target gets bigger every day on the business’s back. Right alongside those increased values is the matching rise in the number of data breaches each year. Healthcare data is sold for 10-20 times that of stolen credit card numbers, so where do you think hackers are focusing? Just like most businesses, they go where the money is. To add to the damage being done, they are not just focused on data theft, but also overall disruption to the business with targeted employee attacks.
Healthcare must begin to look at cybersecurity with the same reverence that they hold HIPAA compliance in. Protecting your business and patient data should be an effort that combines both strategies. If your IT provider isn’t discussing this with you, it doesn’t mean that they aren’t doing it already, but don’t assume. Ask questions, work together and make a plan that secures your business as a whole, not just segments of it.