Cyber Risk

Mon, Jan 6, 2014

IT Security Planning Should Be a Top 2014 Healthcare Resolution

New academic report with data from Kroll/HIMSS survey shows comprehensive security planning delivers more value than checklist compliance approach.

M. Eric Johnson, Dean of the Owen Graduate School of Management, Vanderbilt University, has a couple important messages for hospitals in the latest post on his blog, "Hospitals Must Develop IT Security Plans To Avoid Target’s Fate": Set aside time for your 2014 IT security planning, and when you do, be sure to go beyond a “check the boxes” compliance-focused approach for maximum value to your organization.

Dean Johnson’s advice is based on findings presented last month in a report that he had co-authored, "Health-Care Security Strategies for Data Protection and Regulatory Compliance". Published in the Journal of Management Information Systems, the report drew on data from the Kroll/HIMSS 2010 and 2012 Reports on Security of Patient Data.

When Kroll published our findings, we warned that “There is cause for concern that the security practices in place continue to overemphasize ‘checklist’ mentality for compliance without implementing more comprehensive and sustainable changes needed for meaningful improvements in the day-to-day handling of patient PHI and PII.” Dean Johnson and his co-author, Juhee Kwon, discovered that while compliance with regulatory mandates like HIPAA does promote better patient information protection among the worst hospitals, “organizations that maintain and regularly update a security plan get far more from their security investments. These strategic plans along with periodic review enable organizations to learn of potential new risks and evaluate their own security posture. As a consequence, organizations’ security resources are better targeted to address their specific needs and the environments in which they operate.”

You can read more about the study, how the impact of security investments varies depending on the operational maturity of the organization, and Dean Johnson’s belief that “Similar to teaching a person to fish, regulations should encourage organizations to actively develop and maintain their own action plans rather than providing check-box requirement lists” here

By Kroll Editorial Team

Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.

Service Link

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Service Link

Cyber Policy Review and Design

Ensure that your cyber security policy has the appropriate controls needed to keep your organization's information secure with a remediation plan in place in the event of an incident.

Service Link

Third Party Cyber Audits and Reviews

Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.

Service Link

Kroll is headquartered in New York with offices around the world.

55 East 52nd Street 17 Fl
New York NY 10055
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2024 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top