New academic report with data from Kroll/HIMSS survey shows comprehensive security planning delivers more value than checklist compliance approach.
M. Eric Johnson, Dean of the Owen Graduate School of Management, Vanderbilt University, has a couple important messages for hospitals in the latest post on his blog, "Hospitals Must Develop IT Security Plans To Avoid Target’s Fate": Set aside time for your 2014 IT security planning, and when you do, be sure to go beyond a “check the boxes” compliance-focused approach for maximum value to your organization.
Dean Johnson’s advice is based on findings presented last month in a report that he had co-authored, "Health-Care Security Strategies for Data Protection and Regulatory Compliance". Published in the Journal of Management Information Systems, the report drew on data from the Kroll/HIMSS 2010 and 2012 Reports on Security of Patient Data.
When Kroll published our findings, we warned that “There is cause for concern that the security practices in place continue to overemphasize ‘checklist’ mentality for compliance without implementing more comprehensive and sustainable changes needed for meaningful improvements in the day-to-day handling of patient PHI and PII.” Dean Johnson and his co-author, Juhee Kwon, discovered that while compliance with regulatory mandates like HIPAA does promote better patient information protection among the worst hospitals, “organizations that maintain and regularly update a security plan get far more from their security investments. These strategic plans along with periodic review enable organizations to learn of potential new risks and evaluate their own security posture. As a consequence, organizations’ security resources are better targeted to address their specific needs and the environments in which they operate.”
You can read more about the study, how the impact of security investments varies depending on the operational maturity of the organization, and Dean Johnson’s belief that “Similar to teaching a person to fish, regulations should encourage organizations to actively develop and maintain their own action plans rather than providing check-box requirement lists” here
By Kroll Editorial Team