In our conversations with healthcare practice managers and CIOs – whether at small-to-medium practices, dental offices, outpatient facilities, or hospitals – we’ve found that few leaders feel confident in their organization’s ability to protect against and respond to cyber threats. Managers of smaller organizations have told us “It’s like a monster out there just waiting to get us, and there’s nothing we can do about it.”Even CIOs at larger organizations who feel confident about having the right technologies and procedures in place admit that they have little interaction with the Compliance Office that manages staff education and little control over mobile devices. The result – they feel exposed, just waiting to see/hear where a breach has occurred.
As a general rule, frightening already frightened people does not promote the kind of thoughtful, proactive behavior required for a sustainable approach to cybersecurity. To get that kind of behavior, organizational leaders and their staff need to feel cyber confident – not just that the IT department is doing its job, but that they themselves feel knowledgeable about the threats they are facing and how to defend against them. So what can leaders do to increase their own cyber confidence and promote a culture of cyber confidence within their organizations?
- Complete a Security Risk Assessment – Trying to secure your organization without a thorough assessment of its particular vulnerabilities is like trying to diagnose a patient’s illness based on the survey results of “the most common illnesses for men age 35-50.” Organizations face many of the same threats, but the vulnerabilities vary significantly from one organization to the next. The formal Security Risk Assessment is typically a coordinated assessment of all departments in an organization at the same time.
- Locate – and document the location – of all your business data. Your business data – customer records, employee records, financial transaction data – should be inventoried as carefully as any other business assets. To ensure that it is protected, you must first know where it is! Again, this is NOT just a job for IT. Mobile devices, printers and fax machines (yes fax machines are still alive and well), medication dispensing machines, and the computer workstations scattered around every department in your organization are all likely repositories of business data. Note the location, serial number, and data types on each device.
- Train your workforce – Cybersecurity is now part of everyone’s job. Be sure every member of your workforce – including student interns, volunteers, clerical staff, and managers – receives cybersecurity training and can demonstrate the correct procedures for safeguarding customer data. See Ed Jones’ post on How to Grow Cyber Security Awareness Heroes for more detail on this topic.
- Implement up-to-date Information Security Policies & Procedures – If you purchase templates, be sure to customize them to accurately reflect the data management practices and technologies at your organization. And purchasing them is not enough – each Policy and Procedure must be implemented. That means making sure every member of the workforce is aware of and understands the policies and procedures that apply to their respective role and that managers or members of the compliance team follow up, observe, and retrain as necessary to ensure they are being followed.
- Implement a Risk Management Process – A Risk Management Plan is exactly what it sounds like – a plan for addressing each of the risks identified in the Security Risk Assessment. It should cover all departments and be reviewed regularly to assess progress on any corrective actions. We recommend reviewing the plan at least monthly. Integrating the review into monthly staff meetings, if you have them, is a good way to build cybersecurity and risk management into your standard operating procedures.
It’s true that IT plays a significant role in assessing and securing your organization’s data stores, but everyone plays a role in keeping your organization’s business data secure. Taking these steps to secure the data and address the risks under your own control will have the added benefit of increasing your own cyber confidence and building a culture of cyber confidence.
If your organization needs a security risk assessment, compliance management plan, or cyber security plan; or you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at: info@thirdrock.com