organization. Internal IT professionals should
be focused on ensuring complex security
aspects such as data loss prevention or security event and incident monitoring. However,
things like business associate agreements and
better staff background checks will likely be
out of their experience range. Even though
cybersecurity may seem like an IT issue on
the surface, security compliance is process oriented, and risks come from all directions, not
Security is a risk management process,
not an IT function. Like other business or
medical risks, security should be viewed as
a process to minimize potential losses by
controlling sources of risk. IT is one source of
risk, but there are many others that may be
· Human error is a major source of risk that
IT may be poorly suited to address.
· The physical layout and security features
of a clinic can help or hinder security.
· Effective staff training is both needed and
key to reducing human error.
· Clinical and operations staff are key stakeholders and have vast knowledge that
is needed when planning for disaster or
These are all functions of security risk
Ultimately, all of these risks, whether IT,
HR, clinical, financial, legal, or administrative,
should be the concern of the entire organization (see sidebar).
If planned correctly, compliance will be the
natural result of a comprehensive security program led by someone who understands both
the risk management methodology required
for security and the HIPAA compliance documentation requirements.
What is the best strategy and who should lead?
First and foremost, support for security must
come from executive leadership. Security
involves resources and time. Understanding
business risk is in executive management’s
domain. Compliance is also a business risk.
Merging these to risk objectives makes sense
if the resulting program is managed for both.
Managing them separately is a recipe for frustration and disaster. Setting up a process for
assessing and reporting risk and compliance
to the C-level leaders permits them to make
intelligent allocation of resources and realistic
expectations of schedule. Their full-throated
support is a key factor for success.
One should look at security and HIPAA
compliance as a series of ongoing projects that
need to be managed. Individual projects, such
as security training, business associate contracts, or encryption, can be assigned to the
appropriate lead, but the overall strategy for
controlling business risk should remain with
executive leaders who are good at motivating,
guiding, and measuring projects. Identifying
and training the leader who will understand
both HIPAA and security risk is key to keeping a single program. The logical choice
for this role in a smaller organization is the
Risk: From threat to loss
In the language of cybersecurity, “risk” is the
expected “loss” due to materialized “threats.”
Where threats meet “vulnerabilities,” an
“impact” can occur, resulting in loss. Losses
are most easily quantified in terms of dollars,
but other values are relevant in healthcare.
Risk and Compliance