By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
As National Cybersecurity Month comes to a close on October 31st, it should be stated that security and cybersecurity need care and attention all year long. To effectively protect data in an organization’s trust, security demands constant vigilance and an evolving approach to recognize the shifting nature of threats.
For organizations in healthcare, HIPAA sets the baseline from which to construct a solid security platform. The first step in that process is a risk analysis. The risk analysis is designed to provide a comprehensive overview of where all data reside, the risks to the data, the likelihood of an event occurring, and then to assign a threat level to every element. A detailed explanation of what goes into a risk analysis has been covered before, so please read the earlier post for a refresher.
Finding resources to help an organization conduct the risk analysis are always welcome. The Office for the National Coordinator of Health IT came out with an initial version of a self-conducted risk analysis a number of years ago at this point. Timing with the end of Cybersecurity Month, updates have been made to the tool to further increase usability. While the tool is a good start, use must be serious and cannot take issues too lightly. It could be tempting to overstate the protective capabilities of an organization or the likelihood of threats. Reviewing a report that does not fully consider all threats or vulnerabilities should result in a funny gut feeling. The reason for that feeling is the unfortunate reality that no system can ever be fully secure these days.
On top of the risk analysis and taking steps to implement effective security measures, there should also be time for reflection on what improvements can be pursued to aid the security posture of organizations. Do sufficient resources, whether monetary or personnel, exist to adequately implement security measures? From that perspective, there are opportunities to pursue new goals and support. The Do No Harm 2.0 report authored by Robert Lord or Protenus and Dillon Roseen for New America focuses on culture, technology, and workforce concepts to propose an assortment of means to drive the security ball forward (full disclosure, I was honored by Robert Lord to provide feedback throughout the drafting process). Suggestions range from instilling a culture focused on security to government support of education and training on cybersecurity to revising regulations to encourage funding of and collaboration around cybersecurity. The report attempts to establish certain ideals to work towards. While the ideals may not be fulfilled, driving a discussion is an important part of the process as discussion can lead to necessary attention and action.
As initially suggested, security should not receive attention solely in one month of the year. While it is good to have the focus on security at this time and for new reports, tools, and other materials to be published, the need for continued focus also cannot be overlooked. Optimistically, the efforts established annually during cybersecurity month can provide new bursts of energy around year-round activities. When security does not need special focus because it is an ongoing, constant part of daily operations, then some measure of success can be appreciated. Even at that point, there will be no time to rest.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.