Despite these facts, many healthcare organizations are not at a sufficient maturity level in their cyber and digital risk programs. Up until the recent threats of data privacy legislation, there had not been true enforcement or inspection of healthcare compliance from a third-party perspective. Breaches are self-reported to the OCR, mainly driven from the understanding that this is the ‘right thing to do.’ Less because there is an authority hovering over these organizations to ensure they are following the letter of the law.

Did you know only 4.9% of cases reported to HHS’ Office for Civil Rights were investigated? I have worked with clients across industries in risk, compliance, audit, and security management programs throughout my career. Here’s some of the anecdotal evidence from my own, and my esteemed colleagues’, experiences that I will share:

• Until recently, healthcare providers have been laggards in their security and IT risk management posture in comparison to other regulated industries, such as finance, insurance, and energy.
• When you compare these industries’ characteristics to healthcare, it’s hard to support the idea that a strong risk and compliance management program are not necessities for healthcare organizations.
• The table below (left) draws some conclusions as to why.

How do you form a compelling argument to give to your board of directors or executives that convinces them they should care, and invest, in their data privacy, cybersecurity and digital risk program?

It starts with education for the CIO, CTO, CEO and/or board of directors to help them understand why they should care, and ultimately why there needs to be an investment made to appropriately respond to their risks. This is much easier said than done for a healthcare provider, who oftentimes can be a part of a non-profit, with less resources and dedicated hours. Understanding the impact of the IT, cyber, digital and/or data privacy risks to their patients, and prospective patients, is key.

In speaking with numerous CIOs and CISOs about how they have successfully, and unsuccessfully, presented business justification cases to the executive team to capture additional funding, our SureCloud team has assembled a PowerPoint template to jumpstart your preparation. This presentation deck is meant to be your quiver. Choose to pull out the arrows that you think will be the most effective. Remember the old speaker’s adage: know your audience. Does your audience need more education about what healthcare security threats are out there? Do they need to better understand why their current compliance-based program isn’t truly doing risk management? We have slides to address both.

It’s best to manage your expectations. Things may not change after one presentation, overnight, or even after a few presentations or months. Many times, the adoption of risk-based culture is a dramatic cultural shift that involves conversations with many levels of stakeholders, executive buy-in, and a series of incremental wins over years. But we all have to start somewhere, right?