Should healthcare organizations be incentivized to adopt cybersecurity?

Jun 29, 2017 | Breach, HIPAA Fine, HIPAA Violations, HSN, Security Training


It is no secret that healthcare organizations underfund their defense efforts when it comes to protecting patient data. Even though personal health information is very valuable to cybercriminals and can even generate more revenue on the black market than financial information, healthcare organizations continue to take a lax approach in their cybersecurity practices.

Last week at the Xtelligent Media Value-Based Care Summit in Chicago, Secretary Jesse M. Ehrenfeld, MD, MPH of the American Medical Association (AMA) Board of Trustees delivered the keynote speech, in which he explored why healthcare IT spends so little of their budget on security and how healthcare can work together to form a system that works for everybody.

In his speech, Ehrenfeld explored data released by Healthcare Information and Management Systems Society (HIMSS). To make his case, Ehrenfeld pointed out that healthcare providers are spending significantly less of their health IT budget (about 6%) on security than other industries such as finance.

Although spending on IT security remains low, the second HIMSS Analytics HIT Security and Risk Management Study suggests that 2016 saw an increase in the number of employees dedicated to working in IT security, a 3% increase from 2015.  Despite this increase, HIMSS indicates that both IT budgets and employees ultimately play the biggest role in preventing strong cybersecurity practices for healthcare organizations.

What will it take to convince healthcare organizations to appropriately resource their IT security? 

According to Ehrenfeld, the AMA feels the best way to improve cybersecurity practices in the healthcare industry is to stop punishing non-compliance, but instead incentivize compliance. By incentivizing best security practices physicians have yet another, more attractive reason to take cybersecurity more seriously.

Ehrenfeld also explains the need for the federal government to find viable ways to get physicians onboard with HIPAA compliance and overall best security practices.

While cybersecurity best practices can be expensive and unrealistic, especially for smaller businesses, Ehrenfeld expresses the need for both public and private stakeholders to find better practices for making compliance more attainable.

Ehrenfeld also discusses how the AMA encourages health systems to work together by sharing their knowledge. Since large organizations often have greater resources than small businesses, there is significant value in them sharing what they have learned.

By sharing best practices and real-world examples across the board, Ehrenfeld believes we can create a “healthcare system that works for everybody.”

The post Should healthcare organizations be incentivized to adopt cybersecurity? appeared first on HIPAA Secure Now!.

Skip to content