Mon, Jan 6, 2014

IT Security Planning Should Be a Top 2014 Healthcare Resolution

New academic report with data from Kroll/HIMSS survey shows comprehensive security planning delivers more value than checklist compliance approach.

M. Eric Johnson, Dean of the Owen Graduate School of Management, Vanderbilt University, has a couple important messages for hospitals in the latest post on his blog, "Hospitals Must Develop IT Security Plans To Avoid Target’s Fate": Set aside time for your 2014 IT security planning, and when you do, be sure to go beyond a “check the boxes” compliance-focused approach for maximum value to your organization.

Dean Johnson’s advice is based on findings presented last month in a report that he had co-authored, "Health-Care Security Strategies for Data Protection and Regulatory Compliance". Published in the Journal of Management Information Systems, the report drew on data from the Kroll/HIMSS 2010 and 2012 Reports on Security of Patient Data.

When Kroll published our findings, we warned that “There is cause for concern that the security practices in place continue to overemphasize ‘checklist’ mentality for compliance without implementing more comprehensive and sustainable changes needed for meaningful improvements in the day-to-day handling of patient PHI and PII.” Dean Johnson and his co-author, Juhee Kwon, discovered that while compliance with regulatory mandates like HIPAA does promote better patient information protection among the worst hospitals, “organizations that maintain and regularly update a security plan get far more from their security investments. These strategic plans along with periodic review enable organizations to learn of potential new risks and evaluate their own security posture. As a consequence, organizations’ security resources are better targeted to address their specific needs and the environments in which they operate.”

You can read more about the study, how the impact of security investments varies depending on the operational maturity of the organization, and Dean Johnson’s belief that “Similar to teaching a person to fish, regulations should encourage organizations to actively develop and maintain their own action plans rather than providing check-box requirement lists” here

By Kroll Editorial Team

Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Cyber Policy Review and Design

Ensure that your cyber security policy has the appropriate controls needed to keep your organization's information secure with a remediation plan in place in the event of an incident.

Third Party Cyber Audits and Reviews

Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.