If we are using HIPAA risk/security assessments as the main vehicle for security compliance, can it be used to enhance business competitiveness and provide additional value? How do we maximize value for something we're forced to do?
HIPAA, despite its simplicity, can be used as a framework for assessing business performance. And the more we know about our performance, even in healthcare, the easier it is to maintain a competitive advantage. Healthcare professionals sometimes shy away from the idea of competition, but healthcare in America exists in a competitive setting, so we can't neglect it, or we are doing our patients a disservice by knowingly providing an inferior service.
Further, we have a fiduciary duty to maximize value from donations made to the organization, or investors if we are a commercial operation. Maximizing the value of money spent on security and privacy should be part of that, and HIPAA can serve as a performance assessment tool to incorporate into business efficiency assessment and guide management decisions regarding spending.
Most organizations adopt a checklist approach of minimum viable compliance, but they are missing out on the value that comes from doing a HIPAA assessment that is aligned with business and not merely an IT response. These organizations function at a higher risk level, and boards are beginning to catch on. The financial implications of security events matter, and the business needs to demonstrate value in security compliance beyond merely avoiding regulatory attention.
What is an aligned assessment?
An aligned assessment satisfies the regulatory aspects, and also examines and quantifies how security decisions support and enhance the business. It considers the efficiencies and penalties of failure from a business perspective, and the ramifications to the business beyond the obvious penalties. The ripple effects of security and privacy incidents don't stop with regulatory fines and per patient record payouts.
A thorough examination goes beyond simplistic numbers for breach and considers the real world impact on the business as a whole. The assessors must fully engage with the business and identify where real risk lies by digging into operations and business planning.
The assessor considers the business direction and goals, partnerships, medical studies, expansion plans, grants, donations, endowments, and any area that may be impacted by a breach and reputational tarnishing. Conversations with senior management discuss business direction and vision. Current security and privacy practices are examined and compared against industry peers. Business development is examined and factored in. They ask how endowments would be affected. They identify business partners that would be impacted by their relationship.
Business aligned assessments identify items that are not normally seen inside HIPAA audit reports.
Items that make statements like: "The risk levels in the end user configurations for the research group may potentially expose subject PHI in the research activities to unauthorized audiences inside the organization, a breach, and the business impact from that event is $4M in year one plus regulatory fines and possible tort litigation under the California Consumer Privacy Act that, impacts these two partners, and is not covered under this insurance policy."
Contrast that with several pages of massaged messaging about security problems and one paragraph about "The organization potentially faces $5M in incident costs based on the industry generally accepted term of $100 per record."
What is of more value to an organization? Spending money to know that there is a list of mostly acceptable security concerns with ephemeral financial exposure or identifying specific instances of business risk with clearly understood consequences? We can't put a real value on a vague notion of compromise, but we can quite plainly determine the value of a partnership contract with a particular entity.
"We could lose $50M in a breach!" - not useful.
"A failure in the endpoint configuration security in the research department creates a risk of losing the contract for Newthingus© testing valued at $3M which doesn't include penalties and payouts that could total an additional $2M." - useful.
This business oriented discussion of HIPAA security implications with business leaders provides additional value and increases awareness which supports improved security organization-wide. Increased awareness of the implications and rationale behind decisions helps business leaders comprehend, and contribute, to the security spending decisions of the business. This enhances management and contributes to improved operations with lower risk and improves the competitive advantage of the business.
The benefits to the business from doing an aligned assessment clearly exceed the benefit of spending money to be merely compliant. According to security compliance wizard Ben Rothke, the concept is simple: business can spend the money wisely to obtain value or they can avoid spending it and suffer downstream performance penalties.
An aligned assessment provides business insight that makes it possible for the Program Chair to become a champion and use security and privacy to improve efficiency and lower risk. It lets us develop real numbers for financial risk planning and operational budgets that are more than guesses and industry valuations per record that we know for certain are incomplete. We benefit from avoiding overspending on security. We improve business security decisions that increase efficiency.
Security is a business enabler when we do it right, and an aligned assessment produces a better organizational perspective and identifies these competitive business advantages. Alignment helps us avoid security spending we don't need. And we can use the HIPAA security and risk assessment to do it.
Doing an aligned assessment pays for itself, and if your current team can't demonstrate that, try using a team that can. Like Liticode.