The success of a healthcare organization is going to become increasingly more dependent on the organization’s ability to keep electronic protected Health Information (ePHI) secure.
An in-depth analysis of the HIPAA regulations will disclose the need to address issues from a business perspective. This business perspective can only be realized by instituting a program based on risk assessments and analyses. Gone are the days where governing and regulating bodies are prescriptive with information security. Each organization is now required to do this work.
This requirement poses three important questions to an organization:
- Do you understand the information security risks to your unique organization?
- Have you taken steps to mitigate these risks that are appropriate to your organization?
- Have you established an appropriate management and governance model to be sure your mitigation practices are in place and being used?
If a company does not have a documented process through which to assess cyber risk and/or does not have a person designated to be in charge of the assessment process, functionally, the organization is exposed to having no plan for cyber risk at all.