Archives     Advertise     Editorial Calendar     Subscribe     Contact Us    

Change in Mindset Necessary for Stronger Information Security in Healthcare


Compliance is king, but that's not how it should be. Since the introduction of HIPAA in 1996, the healthcare field has centered data privacy and security efforts around compliance. If all the boxes were checked and organizations received a passing compliance report, everything was "all good."

The problem is, this led healthcare organizations to the false belief that as long as they're compliant with the HIPAA rules, their systems are secure. Unfortunately, as we generally know today, that's not true. This perspective can be problematic in any field, but it's especially damaging in the healthcare industry. Here's why:

The HIPAA Security Rule became mandatory for use by providers, payers, and clearinghouses in 2005, and even with the additional features of the HITECH Act and the more recent HIPAA Omnibus Rule, the actual HIPAA requirements around security have not changed much. For perspective, the first iPhone wasn't released until 2007. If companies are basing their security posture on a framework that's 13 years old, it shouldn't be a surprise that those organizations ... while compliant ... might not be secure.

"It's time now to really begin to pay more attention to our security programs holistically instead of being so compliance-focused," said Mark Johnson, shareholder at LBMC and leader of the healthcare security practice.

Mark Johnson

Johnson underscored the fact that companies shouldn't ignore compliance wholesale but should focus their efforts on the threats their organizations are truly facing -- not the checkboxes that come with a HIPAA audit. But, as many are already aware, this is certainly easier said than done for many organizations.

"Security is one of those things that you're never done with. It's not a project that you can say, 'Okay, we've reviewed our security plans and procedures, and we've implemented this technology, and we're good," noted Johnson.

Beyond that, it also can be difficult to get a board to see the importance of cybersecurity, because there's no clear ROI. However, according to Johnson, boards are asking the wrong questions if they're looking for the ROI on information security.

Johnson said he believes organizations need to stop asking, "What's the return on our investments in our cybersecurity efforts?" and start asking, "How much are we avoiding losing with our cybersecurity efforts?"

This is especially true as healthcare reimbursement systems trend toward outcome-based reimbursement, meaning quality of care, patient satisfaction, readmission rates, and other metrics are playing a larger role into how providers are reimbursed. In these circumstances, with healthcare's ever increasing reliance on technology to deliver, monitor, and document care, systems availability and data integrity are more important than ever to bottom lines in the healthcare ecosystem. Information security, in this context, goes well beyond the historical focus on maintaining confidentiality to protect patient privacy.

So, what can be done? How should a healthcare company responsibly handle information security?

It starts with a change in mindset.

Compliance can no longer be king. Instead, healthcare companies must adopt information security as their new ruling principle. As a benefit, aiming for security will likely lead to compliance, whereas the opposite is not always true, as discussed above.

Regardless of the level of sophistication, most (if not all) information security programs start at the same place - awareness. Organizations must know what their threats are. They must know where their assets are, and they must also know the vulnerabilities associated with those assets. After that, they should develop a plan to close those vulnerabilities and educate users on threats.

The problem is that developing and maintaining a robust information security program requires vigilance, and, per Johnson, "Most small and medium-sized organizations just don't have the resources to do that internally." Because of this, Johnson added, "We've seen an increase in people thinking about outsourcing cybersecurity now."

If considering this avenue, it's important to be aware that outsourcing IT is not the same as outsourcing cybersecurity. While an outsourced IT team (commonly referred to as an MSP - managed service provider) typically makes sure systems are running appropriately and that they're patched regularly, they might not be contracted ... or have the expertise and experience ... to monitor those systems or ensure their security in an ongoing manner.

If looking for that level of service, consider an MSSP (managed security services provider). These types of vendors focus on security and can provide a higher level of assurance for information security programs.

"Many organizations are doing better work around security now than they used to, but there's still a lot of room for improvement," said Johnson.

When looking for a place to start improving company-wide awareness of the security program, a risk assessment is the perfect starting point. It will help identify some of the most important items mentioned above (i.e. threats, assets and vulnerabilities). Beyond that, it will help in the development of an action plan to address those risks and better secure all data.

Effective risk assessments are based on strong methodologies, like NIST, FAIR, or OCTAVE. But, even with these methodologies, the process can be complicated. So, what answers should directors and owners of healthcare businesses be seeking related to their organization's security? Here are few suggestions:

  • Who in the organization is actually tasked with making sure our systems are secure and that we are complying with the relevant regulatory requirements? If you can't name the individual or organization with this responsibility, that should be remedied. If it's not being actively managed, it's probably not being done.
  • Do we know at all times where protected data "lives" in our organization? If there is any hesitation in answering this question, it probably points to a problem with asset management. The issue here is, if we don't know which systems hold our crown jewels, there is a chance some of those systems are going unprotected --and, by the way, it also means you are not compliant with HIPAA.
  • Have we done a risk assessment in the last 12 months that considers the nature of our organization, the things that can go wrong, and what we are doing about those things? If you are only checking the box on the HIPAA security rule requirements, you probably haven't done a risk assessment that will be truly beneficial. For example, how are we prepared for something like ransomware? How are we protecting ourselves, and what will we do if we fall victim?
  • How are we doing with keeping our systems and the applications that run on them updated with the latest patches to keep them from being successfully attacked? This is a critical function that often goes undone if no one is minding the store. A vulnerability management program is absolutely key to protecting your systems.
  • How easy would it be for someone to break in to our systems from the outside or from the inside through social engineering activities like phishing? This is where it can pay to contract with an experienced company for a penetration test. It's much better and less expensive for you to proactively discover those holes in your defenses than learn about them after a data breach that potentially leads to investigations or fines and penalties.
  • How are we monitoring our systems on a daily basis to ensure we catch bad actors before they can do serious damage? This is very hard for smaller organizations, as the bad guys never sleep. This is a perfect example of something many healthcare companies are choosing to outsource to firms who can provide around-the-clock vigilance.

This is, by no means, an exhaustive description of everything healthcare companies and practices need to consider about their security program. Other topics include policies, disaster recovery, incident response, awareness and training, along with numerous other important facets. However, seeking answers to the questions above is a fantastic starting place.

Then, the first step towards improvement must be a change in mindset. It's time for healthcare companies to aim for security and accomplish compliance along the way, instead of the other way around.

Mark Fulford, CISSP, CISA, CCSFP, HITRUST, is an LBMC shareholder in the Risk Services Division with nearly 25 years of experience in information technology, audit and security. LBMC Information Security's team includes a diverse group of experienced professionals that help healthcare companies protect their systems and meet compliance obligations. LBMC is also the creator of the BALLAST automated risk management application, used by hundreds of organizations to identify, track, and remediate security risks. For more information, email or go online to


LBMC Information Security



Related Articles:

Recent Articles

Clover Health Flu Shot Monitor Finds Only 61% of Nashville Seniors Have Been Immunized This Season

With flu shot rates increasing only 20% over the past month, too many older Middle Tennessee residents remain unvaccinated going into the height of flu season

Read More

Jacobs Out at Acadia

Veteran healthcare CEO Joey Jacobs is out at Acadia Healthcare following a Sunday board meeting that ousted the behavioral health giant's well-known leader.

Read More

Moving beyond Wellness to Well-Being

Increasingly, healthcare providers are expanding their focus beyond physical wellness to take a more holistic view of well-being.

Read More

Seasonal Affective Disorder: The Recurring Winter Blues Storm

In the United States, 10 to 20 percent of people have a form of the winter blues, and about half a million people suffer from winter Seasonal Affective Disorder or SAD.

Read More

Competition Levels Drop in Health Insurance Markets across 25 States

Read More

Vanderbilt Comments on Patient Error, CMS Corrective Action Plan

Following a medication error last December that resulted in a patient death, Vanderbilt University Medical Center faced scrutiny by CMS, which could have potentially impacted Medicare reimbursement. However, on Nov. 29, the federal agency accepted a corrective action plan submitted by the city's academic medical center.

Read More

Lifepoint Health And Rcch Healthcare Partners Announce Completion Of Merger

Read More

Cancer Care on the Cutting Edge

Nashville physician-scientists are helping lead the way in advancing cancer care.

Read More

The Evolution of Senior Living

The senior living industry is undergoing a makeover as baby boomers shift focus from medical-directed care to hospitality-driven services.

Read More

When Basic Science Becomes a Breakthrough

Noted immunologists joined forces at the recent International Cancer Immunotherapy Conference to discuss the importance of fostering and funding basic science.

Read More

Email Print



BALLAST, Cyber Risk Assessment, Cybersecurity, Healthcare Breach, Healthcare Hack, Healthcare Information Security, HIPAA, LBMC, LBMC Information Security, Mark Fulford, Mark Johnson
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: