Several breaches involve mistakes or malicious behavior, so all health care organizations can benefit from these suggestions.
Smaller hospitals have fewer resources than their larger peers to invest in information technology, particularly cybersecurity. However, they still need to meet the same basic standards as larger facilities.
It’s a dilemma pointed out in an article published recently in Health Data Management. Author Brian Stone brings up a few helpful reminders for community and regional hospitals to make the most of their IT security budget:
Monitoring cloud-based environments: By monitoring, smaller hospitals’ IT departments develop insight into how users interact with their applications, making it easier to secure and optimize their business systems.
Training and rewarding appropriate behavior: By training users on security and regulations, and creating a compliance culture, smaller hospitals can become more secure. It helps more if they sanction offenders while rewarding positive behavior.
Using a third-party security vendor: Using a third party takes an extra monitoring load off IT’s plate. Such vendors might also be able to train new employees, conduct ongoing educational sessions and tackle internal problems as they arise.
Of course, many health care organizations, large and small, fail to allocate enough of their budgets to these problems until they’ve had a severe breach. Several breaches involve mistakes or malicious behavior, so the kind of training advocated by Stone can be effective in both environments. (In other words, if all you must do is fight off the occasional outside marauder, the data assets may be more secure than you think.)
That said, creating a security-conscious culture takes not only training, but also time. It helps that many younger employees are exposed to data security just by being raised in an IT-connected generation. However, many workers will find security counterintuitive, so you need to get them on board. You want as many people as possible available to recognize when something bad occurs.
Put another way, it’s important to remember that IT security isn’t a one-off exercise, but rather something that needs to be embedded in the way people work, in much the same way as patient safety considerations are among clinicians. If you integrate security thinking into your team’s habits and workflow, you’re likely to accomplish a great deal.