As someone who has worked in the Managed Network Services space for over a decade, there are certain behaviors I notice when it comes to security planning. Every so often, a major security incident occurs that makes headlines, and the media cycle begins. Decision makers at organizations, who are typically business experts and not technology experts, often react with questions about what they are doing to fight this specific threat. Are they doing the right thing? What else could they be doing? How exposed are they?
WELCOME TO OUR BLOG
WE ALL AGREE THAT it is essential to the operations of modern medical practices,
but I find that often these investments in technology are reactionary.
Ten to 15 years ago a major push for moving to Electronic Medical Records
(EMR) inspired a number of practices to make significant investments in
IT infrastructure that most of them had never considered before. It was a
brave new world for most practices, and decision making was often done in
a spur of the moment fashion. Even more disconcerting was the fact that
many of the investments from these early adopting practices ended up being
overhauled for a variety of reasons, many of which had to do with not
“right sizing” the solution in the first place. Needless to say, this was not a
pleasant experience to be a part of, either internally or as a service provider
like I have been. The costs were out of control, unpredictable, and stressful
to deal with.
Chances are if you are reading this article, you have already moved some, or perhaps most, of your IT infrastructure to the cloud. While most organizations spend lots of time, energy and money developing strategies for integrating their important data and workflow to the cloud, they usually don’t worry about security and risk management strategies until after the migration. In fact, many organizations assume that it’s okay to maintain their existing strategy they were using before the move.
EVERYONE WHO MANAGES staff in a medical environment immediately becomes
a key decision maker when it comes to HIPAA compliance, whether
they realize it or not. Many data breaches do not occur because of technical
failures that come from a conscious attack on security systems, but by the
failures of personnel to properly control the access to patient health information.
Practice managers hand the keys to the vault of patient data to staff
members every day. Just like money in your bank account, sensitive data has
a real value, and anyone with access to it holds a serious responsibility.
Many IT decision makers look at assets as hardware, but really they should consider why they have the hardware in the first place.
These decision makers remember the very significant investments they made in servers, PCs, firewalls, and so on in order to deploy that new CRM or Electronic Medical Records System. They think of the tens of thousands of dollars they spent just to get their system functional. It’s understandable then that the memory of this investment makes many decision makers forget why they invest in these systems in the first place, which is to gather and manipulate data for critical organizational functions. So the real asset they are protecting is that data.
Much of my time spent working is focused on performing technology assessments against some kind of baseline. Most of the time, these are specific government or industry standards like HIPAA, NIST, ISO and PCI. But when some of my clients reach out to me about evaluating their environment in light of these standards, it’s often done out of a feeling of obligation in which they are reacting to some kind of demand from whoever is overseeing their work.
Preparing for challenges associated with any technology central to your workflow is an important part of a comprehensive security and risk management strategy for organizations concerned with the integrity of their system.
Cloud computing has become a hot topic in the business world. If you are thinking about moving some or all of your business applications to the Cloud, below are a few things you’ll want to consider:
Every company wants their information technology to enhance their business. In fact, many leading businesses employ a Chief Information Officer (CIO) to develop strategic plans for incorporating technology into their company.