You don’t want to scare them too much, and you don’t want to come off as pushy – you need to find the right balance to put your clients at ease while convincing them that they need you to protect them.
“If you are running a health system, your main area of expertise is not necessarily cybersecurity or cyber accountability,” Mathieu Gorge, CEO of VigiTrust and author of The Cyber Elephant in the Boardroom, explained in an interview with HealthITSecurity.
“One of the main issues between the disconnect between IT, security, and compliance professionals and the senior decision-makers is that they don’t necessarily speak the same language.”
Steps to Take to Communicate Cyber Risks in Healthcare Effectively
- Understanding the healthcare cyber ecosystem
- Translating cyber risk to business risk
- Explaining cybersecurity as an investment rather than a business expense
- Communicating the importance of a culture of security
Understanding the Healthcare Cyber Ecosystem
This first step is for you. Before you can effectively communicate cyber risks in healthcare, you must understand what’s at stake for them. If you don’t understand the healthcare cyber ecosystem, you can’t help to protect them against risk.
When it comes to health data, there is a wealth of information contained in patient files. What’s referred to by HIPAA as protected health information consists of 18 unique identifiers. These identifiers include everything from Social Security numbers, IP addresses, and credit card numbers.
“This is somebody’s life,” Gorge stressed. “If my credit card gets stolen, I can get a new credit card. If my health data gets stolen, I don’t get a second one. It’s completely irreplaceable.”
Translating Cyber Risk to Business Risk
Businesses understand risk. But there are different types of risks, some of these are just a cost of doing business. But cyber risks in healthcare are very different from the regular risks businesses encounter. Mainly, they shouldn’t be “a cost of doing business.” Cyber risks are something that can be prepared for. Their risks likely differ depending on the type and size of the healthcare business. A single-practitioner doctor’s office with one computer is not going to have the same risks as a large hospital system with 100s of devices. Identifying the business’ particular cyber risks is not only required by HIPAA, but is key to making the business understand what their risks are, and how you can help mitigate them.
“Cybersecurity and cyber accountability are not always priorities. Even if it becomes a priority, the challenge for them is to understand what they need to do in plain business terms. They don’t necessarily understand cyber risk, but they understand risk. They deal with risk every day. Especially in healthcare, they deal with reputation risk, brand risk, and insurance risk. We just need to translate the cyber risk into one of those additional business risks so that they can discuss it and take corrective action.”
Explaining Cybersecurity as an Investment Rather than a Business Expense
Cybersecurity should be thought of as an investment rather than an expense. Businesses are much more likely to accept the cost of an investment than just another expense they have a hard time justifying.
Healthcare businesses that don’t invest in security upfront have substantial financial risk. While there is a financial reward for investing in cybersecurity before an incident occurs. You know this, but they most likely don’t – advanced security allows incidents to be detected faster, leading to lower costs associated with recovering from an incident.
“If you start looking at all your investments in security and compliance as assets for the organization, you can then put a dollar value on those assets and put that dollar value on your balance sheet,” Gorge suggested.”Now that it is a financial item, there is absolutely no way that cyber risk is going to fall off the grid.”
Communicating the Importance of a Culture of Security
Your clients will ultimately thank you for helping them to establish a culture of security within their organization.
“If you build a culture of security throughout the organization, from the admissions people to the surgeons, to the IT people, and all the way up to the board, you have a much better chance of protecting the data and managing that additional risk surface,” Gorge emphasized.
What’s important to note is that a culture of security goes hand-in-hand with HIPAA compliance. But you’re a security expert, not a compliance expert, so how do you help? Compliancy Group’s Partner Program allows you to advise your clients on compliance without actually having to do the advising yourself.
About Our Partner Program
Compliancy Group’s HIPAA Partner Program allows you to benefit from our industry-leading HIPAA compliance software and expertise. You handle the security, we’ll handle the compliance.
Our team of Compliance Coaches walk your clients through our HIPAA compliance software solution, enabling them to implement a complete HIPAA compliance program efficiently and effectively. As a Compliancy Group partner, you share in our profits with each client you bring to us without worrying about becoming a HIPAA expert yourself.
As an added value, you have exclusive access to our content marketing team, giving you the resources to educate your clients and sell HIPAA compliance. Find out more about our Partner Program!