Cyberattacks on health care call for a security refresh. Here are common challenges and their solutions.
Information security and compliance are the bedrock of trust in the digital age. Not only do they safeguard data and avoid potential financial losses, but they are the very essence of our integrity and reputation. And although primary care physicians, payers and providers are especially busy right now, they cannot afford to neglect cybersecurity and data protection. Without stringent measures in place, health care organizations are exposed to unprecedented risks, jeopardizing not only their assets but also those of their members and patients.
The number of cyberattacks and data breach incidents and the costs associated with these incidents are increasing year by year. There is a wealth of information and stories that narrate the threats and ransom demands by bad actors everywhere. A report from Identity Theft Resource Center indicates that there was a 78% increase in compromised-data events in 2023 over 2022. The same report also notes that the health care industry had the highest number of compromises in 2023.
There are many implementation and maintenance challenges when navigating the intricate landscape of information security, privacy standards and the ever-changing regulatory mandates. Many compliance-related challenges stem from lack of understanding and misconceptions that prevent companies from fully grasping the intricacies of compliance requirements. Today’s health care organizations can tackle the following three challenges with collaborative approaches, adequate training, clear communication and strong backing from management:
Challenge: Lack of required focus for sustainable security
Solution: A consistent and sustained commitment
One of the key barriers that adds to the hesitation to embrace a robust compliance program is perception of compliance as a one-time task aimed at checking a box and attaining a certification similar to project completion and implementation at a certain point in time.
Health care organizations should embrace that the work surrounding information security and compliance programs is not a one-time effort or a project that has specific starting and end points. There is a need to establish the processes, mature them over time, make them repeatable, measure the progress and ensure there are continuous improvements. Successfully navigating this complexity requires finding methods to comprehend and implement baseline processes and controls that can substantiate the evidence needed, ultimately determining the success of the compliance programs.
Challenge: Responsibility of all — but primarily information technology
Solution: A collaborative approach
Data privacy regulations, especially in health care organizations, require companies to have a comprehensive understanding of where and how member and provider data are stored, what components of personal data are being stored, and how data are being used as more and more companies are adapting to cloud storage and other cloud-related technologies in the digital domain. Maintaining the security and privacy of these personal data becomes the key objective. It is essential to evaluate the potential risks associated with new and developing technologies in order to properly direct the teams in making the appropriate decisions and taking the necessary precautions right from the ground up. As health care organizations create and deploy transformative technologies, they also need to make sure that the information security and compliance processes are in place. In addition to being essential for compliance, these procedures also foster discipline in the creation and upkeep of software and systems.
Optimized security means crucial collaboration between those responsible for compliance and those involved in the development and maintenance of technology solutions. This close collaboration between engineering, compliance, legal and other experts ensures that compliance requirements are integrated into the design and implementation of technology solutions from the outset. Optimized alignment means effective communication and alignment between compliance standards and software development processes, facilitating the creation of secure, reliable and regulatory-compliant health care technology products. By working together closely, teams can develop the right policies and procedures, address the issues early, streamline processes and ultimately deliver better outcomes for all.
When it comes to expertise from health care services organizations, there are also expectations of health care service partners. Both parties must establish a shared understanding of compliance efforts and requirements, as well as expectations regarding security measures. Health care clients should expect that the vendors’ systems are secure, which should be demonstrated through timely vulnerability testing conducted internally as well as by an independent third-party vendor on a regular basis.
Moreover, health care organizations can expect proper service-level agreements for the systems and infrastructure maintenance, including robust business continuity and disaster recovery plans. Any security or data incidents should be promptly communicated to clients in accordance with company guidelines and risk management policies. Client systems must be compliant with the vendor’s systems to facilitate secure information exchange via compatible methods in alignment with compliance requirements.
Challenge: Management’s perspective on return on investment
Solution: An alternative perspective on ROI
While the ROI from compliance efforts may not always be immediately quantifiable in monetary terms, the benefits in terms of risk reduction, efficiency improvements, competitive advantage and stakeholder trust contribute to the long-term success and sustainability of health care organizations.
In instances of budget constraints or when opting for a conservative approach, organizations may choose to implement a phased strategy. Health care organizations can showcase their commitment to information security and compliance by undergoing independent audits, adhering to frameworks like Service Organization Control Type 2 (SOC 2), a cybersecurity framework that supports organizations in protecting their systems, and Health Information Trust Alliance (HITRUST) in phases. These frameworks are designed to evaluate and mitigate risks associated with handling technology and data, especially in terms of privacy and security. Organizations may opt for a step-by-step approach, beginning with SOC 2 attestation, which establishes fundamental controls, before progressing to the more comprehensive assessment offered by HITRUST. Although SOC 2 and HITRUST are two distinct frameworks, each with its own set of requirements and objectives, there is significant overlap between the two, particularly in terms of the security and privacy controls they prescribe.
In addressing the pressing challenges of health care information security and compliance, it’s evident that proactive and sustained commitment is essential. Health care organizations can best mitigate and enhance trust by embracing a holistic approach that involves all stakeholders, understanding the technology landscape and reevaluating traditional perspectives.
Ram Shastry is director of technology at Sagility, where he oversees the management of infrastructure and compliance for health care systems. With a wealth of experience in the industry, Ram has provided support across a diverse array of systems, facilitating the delivery of products and services within the IT domain. Additionally, Ram has played an instrumental role in supporting compliance programs and contributing to academia. Ram holds a master’s degree in information science from Pennsylvania State University.