Every healthcare organization wants to avoid a breach. There has been much attention recently on cybersecurity, including the latest (and greatest) threats. Organizations of all kinds and types within the healthcare sector—and in many other sectors (including the financial sector)—have been increasing their cybersecurity personnel in an attempt to stay ahead of the threat. Even so, many organizations are still finding the numbers of skilled cybersecurity personnel are woefully inadequate. The numbers of incidents—hacking and otherwise—are vastly growing. Moreover, the data we are creating, collecting, and otherwise amassing continues to grow.
With these factors in mind, understand a paradigm shift going on. We now understand athe importance of cybersecurity, because the better we are at controlling who gets what access to our data, the less often data leakage, breaches, and cyber attacks will occur.
Cybersecurity is not an impediment to our getting work done. Instead, it is a means by which one ensures that the right people get access to the right data at the right time. Indeed, cybersecurity has become a priority for many healthcare organizations. Cybersecurity, too, is quite an important area, especially with the sheer volume of cyber attacks and other security incidents that organizations—including those in healthcare—face day-to-day.
But, let us not forget about the very important role of information privacy. Briefly defined, information privacy relates to establishing rules that govern the collection, use, disclosure, storage, and destruction of information (i.e., throughout the information life cycle). Information privacy goes well beyond the requirements of HIPAA—indeed, HIPAA (including the HIPAA Privacy Rule) is only a piece of the puzzle. Moreover, no organization can avoid breaches and other compromises without having a robust privacy program.
In today’s digital world, organizations cannot keep information safe and secure without also keeping it private. By the same token, information privacy and information security must work hand in hand. You cannot have information privacy without information security in the electronic realm. Information technology is everywhere in some way, shape, or form. The healthcare sector is data-driven and technology-driven.
There are many information risks that can be greatly reduced with the coordinated institution of privacy and security controls, practices, and policies. However, each organization must examine how it is holistically safeguarding information from both information privacy and information security perspectives. Privacy and security professionals—working in concert with each other—should formulate appropriate policies and procedures (as well as controls) for safeguarding information through administrative, physical, and technical means. What is more, organizations need to encourage and facilitate information sharing (ideally, with a communications plan) so that any suspected or known incident is immediately reported and acted upon.
The concept of “see something, say something” should be strongly encouraged and information privacy – as well as information security – must be adopted and implemented with a “whole of organization” approach. (In other words, it is not enough for only the information technology professionals to have privacy and security awareness. All workforce members must be on board, especially since virtually anyone could potentially cause a breach or incident.)
With privacy and security practices and policies being well-coordinated (and accepted) throughout the entire organization, the potential for privacy and security incidents (as well as breaches) can be greatly reduced.
For example, suspected or known instances of malware (whether it is ransomware or otherwise) can be reported and acted upon much more quickly (before, hopefully, significant damage is done). The impact resulting from insider threat actors – such as negligent insiders losing a laptop or thumb drive or a malicious insider who may be intentionally damaging or stealing information – can be vastly diminished with privacy and security practices and policies in place.
Information privacy and information security is everyone’s responsibility. We all need to coordinate, plan, and prepare for what is happening, as well as what may happen—presently or into the future.