A commonly seen problem across healthcare entities of all sizes is underfunding of security programs. Healthcare providers around the country face financial difficulties, as a result of which, they’re finding it hard to meet security requirements and compliance deadlines. Troy Regional Medical Center, a 97-bed healthcare facility in South Troy, Alabama is going through a similar experience.
The medical center reported an incident involving unauthorized access to records of 881 patients in March 2011 for which it now faces investigation by HHS’ Office for Civil Rights, and a potential penalty. The breach incident involved theft of patient information and their SSNs by a contract worker, who was convicted and sentenced to 65 months in federal prison. Another member who was also part of the ID theft and fraud ring was sentenced to 10 years imprisonment for her part in the scam.
Teresa Grimes, CEO and Administrator of Troy Regional, acknowledged in an interview with HealthcareInfoSecurity that the entity did not have the money to invest in security as there were substantial operating losses over the last several years.
But such an incident is not limited to this medical center alone. Several other smaller healthcare organizations are also having a tough time scrounging up money for HIPAA compliance and other data security measures, and eventually underfund or under-staff their security programs. This clearly means that the senior leadership in these organizations is yet to grasp the importance and value of keeping information secure. It is critical to understand that even the smallest, cash-strapped healthcare entities have to make information security a priority if they wish to avoid breaches and resultant legal action, because breaches can happen anywhere, and at any time.
While security experts believe that many organizations have to change their existing mindset about information security and realize its importance, HealthcareInfoSecurity’s recent survey revealed that only about one-third of the organizations expected their security budget to grow this year, and that most entities allocate money for security on an as-needed basis .
Stretching Resources to Accommodate Security
Kate Borten, who heads IT security consulting firm, The Marblehead Group, is of the opinion that sometimes security resources are not focused on the areas of highest risk, and healthcare providers miss opportunities for inexpensive controls.
So how can cash-strapped healthcare organizations stretch their security buck?
- Making use of free government resources such as the privacy and security guidance offered in the HHS website
- Taking risk assessment seriously, and performing timely and cost-efficient risk assessments with the help of boutique consulting firms
- Addressing high-risk findings, establishing security procedures and protocols, and making more extensive use of encryption
- Training staff and providing ongoing awareness communication
- Ensuring security controls are in place for all business associates
- Adopting a comprehensive and cost-effective solution such as Aegify Security Posture Management and Aegify SecureGRC to make sure that the entity is secure and compliant at all times.
Although finding funds for security is still difficult for many organizations, it is now a necessity. Hence, they should device creative means to make the most of their limited resources to protect patient health information, or get ready to pay legal fees and huge penalties at a later date, for leaving risks unmitigated. Aegify solutions are subscription based with no upfront investments; the operational expenses are unimaginably very low. Pay a small subscription now to save large payments in fines later. Subscribe to the free Community Edition now to get a flavor of this highly cost-effective solution with extensive features.