It’s a common scenario—someone on your IT, compliance, or security team discovers a problem. It might be lost equipment, a potential breach, or a compliance violation.
Team members immediately discuss it, looking for ways to resolve the problem quickly. Yet, they usually keep those communications siloed in their departments, inadvertently shuttering out those on other teams who should know and may have responsibilities related to incident response.
As a result, activities are piecemealed, may not follow all protocols, and often don’t provide adequate responses.
The outcome is frustrating and creates internal conflicts of interest and much larger, unintended consequences such as regulatory fines and penalties, enforcement actions, potential criminal and civil actions, and negative impact on your reputation and bottom line. It can also cause lingering business interruptions.
This type of floundering response is common across the healthcare industry, often because covered entities and their business associates haven’t developed effective governance programs to ensure the right people and processes activate when there’s an incident.
Challenges for Cybersecurity and Privacy Governance
Across the industry, there’s increased focus on governance, particularly in the form of new regulations, controls, and standards. But what’s driving so much attention toward the topic?
There are two big factors in play. The first is how rapidly the industry is adopting new technological advancements, creating a broader attack surface with more vulnerabilities and security issues that are harder to identify and mitigate. That’s compounded by the complexities of an evolving regulatory landscape and even further complicated by traditional silos that divide teams, hinder communication, and trap critical data away from those who need insight.
So, what can you do? How can you bridge the gap between your security, IT, and compliance teams? It begins with setting a foundation for a strong governance program.
Governance Best Practices
Factors like organization size, location(s), functions, and the types of data the organization creates, transmits, or stores influence the specifics of a governance program. Generally, effective healthcare governance programs should contain these core components:
Policies and procedures: If you have an incident, one of the first things an auditor or investigator will ask for are your documented policies and procedures. If you don’t have these, or they don’t address common risks with best practices or demonstrate compliance, your organization may be subject to harsher enforcement actions. Your policies and procedures should be tailored and appropriate for your environment with demonstrated and tested effectiveness. Your team members should be educated and well-trained on your policies and procedures and be able to access them quickly.
Roles and responsibilities: Your governance program should detail which positions are responsible for specific tasks, with a key person on point as a program manager. Some organizations make big mistakes here. They don’t align responsibilities to roles; they align them to people. When the person leaves the organization, often those responsibilities don’t get reassigned, or the person takes institutional knowledge with them that can’t be replicated. That’s why it’s critically important to document this information as part of your governance program.
Risk management: Your risk analysis and management plans and processes, including your risk appetite and risk threshold, should be well documented.
Training and awareness: An effective governance program should include employee training and education. There is no one-size-fits-all approach that works for everyone. Everyone learns and retains things differently. Some are visual learners; others are hands-on. It’s worth investing time and effort into understanding employee needs and expectations and designing training programs that align with them.
Auditing and monitoring: Auditing and monitoring are crucial to improving program performance. That includes routine testing and training exercises to ensure your policies and procedures function as designed—before an incident happens. This will create an opportunity to identify and address issues before they negatively impact operations.
Incident management/response: Well-documented incident management and response protocols are a linchpin for effective governance. You should detail each step your team members should take, from proactive preventive measures through incident identification and containment and post-incident review.
Individual rights: Individual rights are emerging issues in security and privacy. There are rules, regulations, and legislation that guide organizations on certain rights individuals have, for example, the right to access their data and opt-outs. These rights should align with all legal and compliance requirements and should be detailed as part of your governance documentation.
Third-party risk: Organizations often overlook third-party risk, but as a growing number of record exposures start from breaches within the supply chain, your governance program should include processes guiding third-party risk analysis and ongoing risk management.
Document retention: Some laws and regulations dictate how long and which types of documents organizations must retain. It’s not enough to document governance now; you’ll need to hang onto it for the allotted time period based on your organization’s requirements. That means you need an effective retention policy that ensures this happens.
The Importance of Bidirectional Communication
While documented policies, procedures, and plans are important parts of an effective healthcare governance program, your organization should not overlook the value of building a culture that encourages and fosters bidirectional communication.
Cross-department and cross-functional collaboration is key to improving how your teams work together to solve problems and meet governance goals. It also fosters innovation, leading to more efficient, compliant processes across your organization.
Bidirectional communication is foundational in developing a holistic governance program, one that involves receiving and listening to feedback from various stakeholders. Think of it in terms of that previous scenario about walled-off incident communication between IT and security teams. It’s critical to break down these walls to ensure communication happens in both directions to identify and resolve issues as a team.
Many elements of security and privacy expand well beyond IT, compliance, and security into different business units, departments, and functional areas, for example, legal, procurement, finance, and human resources. Collaboration and communication are key to understanding who’s responsible for various governance activities, such as policies and procedures, specifically in areas that support one another. This can help improve data privacy and security outcomes by empowering team members to identify and prioritize relevant activities across your organization—from the C-suite and board down to the implementation and operational levels.
Governance Frameworks
Healthcare organizations use a hodge-podge of methods to build governance programs. Some are more effective than others. However, an easy way to ensure all programs are effective is to adopt governance, privacy, and security frameworks to guide your programs. Frameworks provide clear direction and can align your programs with key metrics and business goals.
Some frameworks that may be helpful are:
- Health Information Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR) and international laws
- California Privacy Rights Act (CPRA) and state laws
- NIST Special Publication 800-53
- COBIT (Control Objectives for Information and Related Technologies)
- ISO/IEC 27001 Information security management systems
- 405(d) Health Industry Cybersecurity Practices (HICP)
Governance People, Processes, and Technologies
When people traditionally think of governance and compliance, they often picture outdated, cumbersome, and expensive GRC platforms. The good news is today, there are more affordable, user-friendly, and healthcare-focused governance tools on the market.
For example, automation and analysis software can help with policy enforcement. Software can also help you more effectively handle incident management, and user-access monitoring tools can help manage compliance requirements.
It’s important to understand what these technologies are designed to do and how their capabilities align with your governance objectives. It may be helpful to seek out recommendations from colleagues. You can also partner with healthcare compliance and security consultants to ensure you’re on the right path.
Some additional governance recommendations to consider to strengthen your program:
- Develop a strategy and processes to monitor program effectiveness continually.
- Educate senior leadership and key stakeholders about the importance of effective governance and their roles to ensure success.
- Ensure you have adequate resources (people, tools, and technologies).
- Understand how regulatory environment changes may impact the way you do business.
- Look at the regulatory requirements to determine where there are similarities to eliminate duplicate processes.
- Know what types of data you have and where your data lives (e.g., data mapping)
- Assess and remediate your risks.
- Employ controls and technology to reduce your risk level.
Ultimately, effective governance requires a holistic approach that takes into account people (roles and responsibilities), processes (plans, policies, and procedures), and technology to enhance compliance, security, and privacy throughout your organization.