Healthcare News & Insights

Healthcare compliance and cybersecurity: Examining the needs

As health care’s reliance on technology becomes greater – and it will – security risks continue to grow. In this guest post, David Wagner, president and CEO of an email security company, offers best practices for organizations looking to implement and maintain successful compliance strategies.


Hospitals are alive with activity and awash with information. Just a single healthcare complex can contain hundreds of staff members who are using thousands of devices to tap into a vast ecosystem of healthcare data. As such, hospitals and just about any other healthcare setting are ticking time bombs in terms of cybersecurity and are constantly at risk for major violations.

While organizations in every industry face similar scrutiny and risk for violation, health care is unique in two ways. First, medical information is extremely sensitive, as the very nature of the data could potentially contribute to a life-or-death scenario for an individual if that data is compromised. Secondly, health care relies on a huge number of network-connected devices that haven’t necessarily been updated at the same pace with technology advancements and, therefore, may lack appropriate cyber-defense measures or even capabilities. These unique hurdles place the healthcare industry at a much higher risk for noncompliance, an important distinction because violations with healthcare data often come with elevated consequences for the healthcare provider.

This situation will not get any better as health care becomes even more reliant on technology. Now that patients are using at-home devices to transmit health information, the sheer number of devices that hackers could target is growing significantly.

Making matters worse is that the means by which healthcare data is handled is subject to the Health Insurance Portability and Accountability Act (HIPAA), which outlines the standards that must be met when handling personal healthcare information. As such, any misuse of such information can be a HIPAA violation, which can come with fines of up to $1.5 million. Therefore, we need to start thinking of compliance and cybersecurity as overlapping requirements: One is impossible without the other.

Thinking ‘beyond’ compliance

As the risks for noncompliance become more universally understood and appreciated, organizations are becoming more aware that avoiding a breach requires a combination of adequate cybersecurity and a proactive, top-down organizational approach to compliance. More important, treating compliance as the end goal instead of the starting point is quickly becoming a lost opportunity in health care.

Another important aspect to consider is that just because health data is compliant doesn’t mean it’s optimized. Hospitals can meet the mandates of HIPAA, but otherwise the data is inert. Making sure that data is safe and secure is just the first step – also positioning the data to be accessible and organized can turn data into a much more valuable asset. For instance, hospitals can begin mining the data for instances of insurance fraud or for evidence of suboptimal healthcare outcomes. In that way, the data can be purposed as a powerful tool for improving care and driving performance at the same time.

Thinking beyond compliance also means that the letter of the law isn’t the substance of the strategy. Instead of doing only what regulators require, hospitals are adjusting their workflows to inherently keep data safe while leveraging it responsibly. Once that optimization is fully realized, consistent HIPAA compliance is just one of many positive outcomes.

Preparing data for the future of health care

What can we expect from the future of health care? Almost certainly an expanded regulatory landscape that focuses specifically on data protection and privacy. Equally likely is an increased dependence on hardware, software and data throughout the industry. The following measures represent best practices as organizations look to implement and maintain successful compliance strategies:

  • Adopt a cloud-first strategy: Now that data is streaming into healthcare organizations from hundreds of sources, the cloud is the only option that’s flexible and scalable enough to keep up. The cloud also offers better security than on-premises data storage – and typically at a lower cost. Everyone in health care should take a cloud-first strategy, but particularly the smaller organizations that have less time and money to spend on cybersecurity.
  • Unify search capabilities: Healthcare data should be as integrated as possible and accessible through simple search functions. Unified search makes it much easier to complete compliance audits while allowing the data to be explored for insights. Without this capability, finding specific pieces of data or whole classes of documents takes much longer than it needs to.
  • Work to build value: Breaking away from old attitudes about compliance isn’t easy to do. It’s necessary, however, because organizations that aren’t evolving tend to settle for the bare minimum. Instead of simply checking the boxes of compliance, organizations need to see the value in those boxes. More important, they need to recognize the value of going above and beyond. It takes new plans, policies and technologies, but it also takes a meaningful shift in the culture.
  • Treat data dynamically: Data is typically HIPAA-compliant if it’s effectively stripped of identifying links to actual patients. After the direct links to patients have been removed, hospitals can query the data to answer the most urgent and essential questions. Create a plan for when, where, why and how the organization will leverage the available data. Letting data sit idle shouldn’t be an option.
  • Extend access: Once data is organized and secure, work to make it accessible to as many users as possible. Having strict access controls in place is important for security purposes; otherwise, data should be available to decision makers at all levels to use in whatever ways add value to the organization and the patient experience.

One of the challenges with implementing an effective and efficient compliance strategy is that the effort applies to the compliance officers and IT pros across the board. It’s really an organization-wide effort that requires buy-in from the top down and engagement from the bottom up. Partnerships with managed security service providers can help hospitals coordinate that effort and perfect how they use data in the process. Once the strategy is in place and in effect, compliance is much less of a liability and even becomes a strength and a valuable tool.

David Wagner serves as the president and CEO of Zix, a leader in email security.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind