From addressing the rise of AI within healthcare to meeting the HHS’s cybersecurity performance goals (CPGs), there has never been a better time to update your cybersecurity policies and procedures. Simply revisiting these core documents and refreshing them to meet the latest risks can immediately improve your posture – and this article will explain how.
Why Policies and Procedures Are Key for Healthcare Security
Strong cybersecurity requires consistent and unified action; no matter how skilled an individual security individual is, they must rely on countless other employees across the organization to maintain data security, adhere to regulatory requirements, and follow security best practices to protect your patients, reputation, and bottom line.
Policies and procedures help to coordinate that action, making explicit what is required from every member of the organization and how your overarching security program must be run. They often simply highly complex tasks, providing clear guidance and reducing confusion around what is required to mitigate, avoid, or respond to security threats.
Why is Now the Moment to Update Your Policies?
There are four clear reasons to update your security policies and procedures right now:
- Mitigate New Risks: Cybersecurity is constantly evolving – from new regulatory requirements to novel criminal tactics. Updating your policies ensures your organization stays ahead of these changes and can maintain a robust posture regardless of the emerging challenges.
- Increase Adherence: Updating your policies can improve adherence by providing clarity on the exact requirements for each area of your organization. This is vital to ensure your policies fulfill their purpose; a recent survey found nearly one-third of data loss and exfiltration incidents were the result of employees not following security policies.
- Align with Leading Frameworks: Revising your policies presents the opportunity to more closely align your organization with the latest guidance from leading security frameworks, such as the NIST cybersecurity framework’s most recent updates and HITRUST. Most organizations know these frameworks would improve their security posture – and there has never been a better time to use them.
- Build a Strong Security Culture: Refreshing your security policies signals the importance of security across your organization. This is crucial to ensure compliance and security remain top of mind – and are properly prioritized by all parties – from individual staff members to the c-suite.
All this makes clear that the relatively small effort required to implement new policies will have wide-ranging benefits for your security posture. But where exactly should your new policies and procedures focus?
Five Areas to Develop New Policies and Procedures
1. AI Safety
The potential for AI to improve healthcare is well established – from streamlining administrative processes to enabling faster and more accurate diagnostics. But realizing those benefits requires strong security processes to vet new solutions, ensure IT systems are safe, and manage the evolving AI landscape to ensure all AI tools maintain data privacy, security, and integrity.
New policies around AI will make this far easier, creating official processes to evaluate and ensure AI safety. NIST recently produced specialized guidelines for the safe adoption of AI, and our experts suggest this should form the foundation of your new AI security policies.
2. Cybersecurity Training
Cybersecurity training is the foundation of a strong security posture, ensuring employees meet regulatory requirements and follow security best practices. But given that more than a quarter of organizations report running training “ad hoc” – with no fixed frequency or required learning assessments – this is a clear area where new policies can have a fast and powerful impact.
Our recommendation would be to ensure your policies make explicit:
- The frequency of required training (ideally increasing the frequency to ensure employees are prepared for new regulatory requirements)
- The method of training (with an emphasis on flexibility for all employees to access training with ease)
- The method of assessment (ensuring employees are tested and their progress quantified to enable targeted interventions and improve overall knowledge)
3. Incident Response and Recovery Plans
The impact of cybersecurity incidents can often be mitigated with a fast and effective response. However, this requires a clear incident response plan to coordinate efforts in real time and ensure there are vital systems in place to accelerate recovery.
Research suggests 63% of healthcare organizations could improve their cyber resilience simply by developing such policies, and our experts suggest you focus on:
- Establishing communication lines that will be used during an incident
- Ensuring breaches are quickly and effectively reported and all relevant parties are notified
- Creating strategies for the containment and mitigation of a breach to minimize disruption
4. Data Encryption and Access Controls
The proposed updates to HIPAA’s Security Rule will require improvements to ePHI protections. This includes introducing or enhancing safeguards such as multifactor authentication (MFA), network segmentation, more robust data access controls, and comprehensive data encryption.
This makes introducing new policies around data protection a clear win-win. Not only will you improve your security posture and keep patients safe, but you will also be more prepared for regulatory updates and reduce future compliance risks.
5. Security Assessment Frequency
Another component of the proposed Security Rule updates is continuous risk monitoring – which requires more frequent security assessments. This should encourage you to go beyond the standard annual HIPAA assessment and create official policies that dictate:
- The frequency of organization-wide assessment, including third-party vendor risk assessments
- The processes required to ensure assessments are run efficiently and generate useful and accurate data
- The management of assessment data to ensure it is documented properly
This will ultimately enable a more comprehensive view of your cybersecurity posture, improve risk identification and prioritization, and enable a shift toward proactive, integrated risk management.
Evaluate and Improve Your Policies with Intraprise Health
Many organizations struggle to gain an objective view of their policies and procedures – and may lack the resources required to develop effective new ones. That is why so many healthcare leaders trust Intraprise Health by Health Catalyst to support their security program with consultations that help assess, improve, and implement new policies that will keep you compliant and prepare you for upcoming regulatory changes.
Want to get ahead of the latest HIPAA updates? We could help you improve TPRM – to protect your patients, reputation, and bottom line?
