When you think about protecting sensitive data, do you think about privacy or security? It’s a trick question because the answer should be “Both.” Whether you’re thinking about data protection from insider threats or potential vulnerabilities in network security, keep in mind that while privacy and security each have roles, there’s a mutual dependence.
In general, the healthcare industry lags behind other established industries when it comes to prioritizing budget spend on data protection solutions. HIPAA also divides security and privacy responsibilities, meaning that these activities traditionally have been tackled by independent teams. As we have seen from the increasing number of data breaches, we need to come up with a better plan for protecting data. Security and Privacy teams need to work together to better safeguard patient data and try and stem the onslaught of data breaches.
Privacy rules tell us how and when sensitive data can be accessed, whether electronically or otherwise. Security actually restricts that access to the authorized users (or systems). Neither can be optimally effective without the other. If your organization focuses too strongly on cybersecurity but deprioritizes privacy best practices, you’re at a disadvantage, and vice versa.
Are you considering becoming HITRUST Certified? Download our helpful tip sheet which lists the questions you should ask your HITRUST preparer.
Avoid working in silos. Communicate and collaborate on initiatives. Ensure that people on different Privacy and Security teams know their counterparts. Hold regualr meetings and stick with them - don't let them slide. Collaboration is important as each team has different strengths and viewpoints.
Strategize together on everything from privacy and security training to determination and implementation of access controls. You’ll likely find it optimizes resources, too. Engagement from both teams is important for effective collaboration.
Get buy-in from leadership. It’s not only the privacy and security leads and their teams who need to collaborate.
Combine compliance efforts. Interdepartmental tag teams can cross-check, help close gaps and reduce overall privacy and security risk.
Give education a kick in the pants. Think small bites, large impact. In addition to general privacy and security training, choose a “top 3” improvement goals on which to focus.
When privacy and security teams work in tandem, it helps assure trust in data protection; essential trust by consumers, patients and vendor partners. Too often, the roles are disparate, with privacy and compliance shunted under a Privacy Officer and security and IT assigned to the CTO or CSO. The danger of silo operations means not only does efficiency suffer, but so does effectiveness. Gaps grow, leaving your organization at greater risk for a data breach.
Instead, opt for alignment between the privacy and security leads and their teams. Encouraging an ongoing spirit of cooperation between privacy and security resources helps your entire organization double down on data protection. When you make “better together” your mantra for privacy and security practices, you reduce risk and improve data protection effectiveness.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.