Who's responsible for your data?
Perhaps, like most small businesses, you have never heard the acronym “CISO”, let alone why it’s an important role for even small healthcare providers. Or perhaps, you do understand the importance of having someone responsible for keeping your information secure but can’t justify creating a full-time position. That’s okay because a “CISO” is a Chief Information Security Officer. This is the person tasked with being responsible for knowing your business’s security procedures and standards inside and out. You may not need to create a full-time position to execute this role. Many smaller practices, in fact, don’t need someone on the payroll and can hire a managed services provider (MSP) to take on the role.
Here’s why failing to appoint a CISO positions your business at a competitive disadvantage: 80 percent of business owners have someone on staff (or an MSP consultant) augmenting their IT team. (See, 2017 HIMSS Cybersecurity survey.) That person that is responsible for information and data security. These businesses are your competitors and they take security seriously. The same survey said that 53 percent of organizations employ at least one cybersecurity professional for every 500 employees.
In the healthcare sector, security of your business’s information is even more crucial. Did you know that HIPAA requires security measures that can help prevent the introduction of malware into your computer systems, including ransomware? Have you heard that enforcement actions have been increasing against individual physicians and smaller practices? Your obligation to keep files secure extends to more than just patient records. States are cracking down with their own legislation that is often stricter than HIPAA’s language. In states like Florida, laws are more even more expansive than HIPAA. In Florida’s case, FIPA applies to all businesses who acquire, maintain and store personally identifiable information, including your business’s employees.
As your business grows it is crucial to designate someone who knows the details of your insider threat program. Insider threats are considered either an unintentional insider, such as an employee who accidentally clicks on a link and installs ransomware on a server thereby accidentally encrypting an entire company’s files and having to pay a steep ransom to the hacker who designed the malware. Which happened to a business I had to recover data for (they were lucky and had backups). The other type of insider threat is a malicious insider and as you can imagine they are more difficult to guard against. Think of them as a disgruntled employee purposefully sabotaging your business. What safeguards do you have in place to guard against either?
Small healthcare providers should consider utilizing managed service providers to augment their overworked and understaffed IT team (or to implement and maintain technological safeguards). Bringing in people with different toolsets to help lockdown files, networks and e-mail can be a great alternative to having a CISO on staff and will ultimately give a practice peace of mind without a large expense.
Would your employees know who to point to when law enforcement shows up and asks to review your data breach and security records? Would the person they point to be able to effectively answer questions about your policies and procedures? This is why formal designation of a CISO is crucial. Disorganization in the eyes of any regulator is a recipe for disaster.
When was the last time your organization conducted a risk assessment? 17 percent of survey respondents indicated that they’ve either conducted a risk assessment less than every two years or never. Keep in mind that a requirement of the HIPAA Security Rule is to conduct a security risk analysis. 45 CFR §164.308(a)(1)(ii)(A) . Risk assessments include items like what data to backup and how, when and how to use encryption, and types of authentication to use when accessing data. These are things that your CISO or someone responsible for the security of your data should know.
The same (for some, now scary) survey indicated that 87 percent of organizations made their employees undergo security awareness training at least once a year. When was the last time you had your staff trained? Have you ever? Again, this is a requirement in HIPPA Security Rule. 45 CFR §164.308(a)(5).
While the topic of penetration testing (more commonly referred to as “pen testing”) is a rather standard security task it’s worth mentioning. Pen testing is essentially pouring over your network’s security vulnerabilities and trying to find holes that hackers may use to sneak into your virtual door. Think of it as checking all the windows are shut and doors are locked before you head out for that long vacation. Your CISO should be conducting this on an annual basis. 75 percent of your competition already is. Don’t be part of the other 25 percent who circled “don’t know”.
2017 HIMSS Cybersecurity Survey http://www.himss.org/sites/himssorg/files/2017-HIMSS-Cybersecurity-Survey-Final-Report.pdf
Guidance on Risk Analysis Requirements under the HIPAA Security Rule https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf