External frameworks like HIPAA, GDPR and PCI DSS have promoted adoption of cybersecurity measures. Yet, the number of cyberattacks continues to grow each year — even in industries with strong regulatory compliance, including healthcare.
To protect data and systems, healthcare organizations need a roadmap tailored to their unique needs and risks.
During a December Becker's Hospital Review on-demand webinar sponsored by Imprivata, Rob Palermo, vice president of product marketing at Imprivata, discussed how compliance and cybersecurity can work together to achieve compliance and security goals.
Five key takeaways were:
- Cybersecurity is what organizations do to secure systems and data. Compliance is confirmation that they did it. Compliance can be divided into two categories. "Little c" compliance refers to alignment or adherence to mandatory external security or governance frameworks. In contrast, "Big C" compliance focuses on compliance with internal security and governance standards. "Big C" compliance is dictated by and customized to each's organization's needs and ideally is aligned with risk. Cybersecurity relates to the activities, infrastructure and strategy that organizations use to achieve "Big C" and "little c" compliance.
- In recent years, many organizations have strengthened their cybersecurity programs. Earlier in 2022, Imprivata and the Ponemon Institute conducted a survey about cybersecurity and risk. "On the positive side, about 60 percent of organizations said they have evolved their security structure in the last year, in response to the constantly changing environment," Mr. Palermo said. "About half have turned to automated solutions like machine learning and artificial intelligence to scale and address cybersecurity threats." In addition, almost half of organizations said employee awareness about cyber hygiene has grown. That is often due to training and awareness campaigns, as well as monitoring solutions.
- However, the number of cyberattacks hasn't decreased. The Imprivata and Ponemon Institute survey also found that 54 percent of organizations have experienced a cyberattack in the last 12 months. Third-party attacks, in particular, have increased. "Around half of organizations believe that cyberattacks are increasing and about half of attacks are coming from ransomware," Mr. Palermo said.
- Unfortunately, "little c" compliance is often misused, "Big C" compliance is marginalized and cybersecurity is misaligned. "Little c" compliance and regulation set a broad floor for the protection of systems and data. Meanwhile "Big C" compliance — that is, internal governance — is meant to be the blueprint that sets the ceiling for how companies actually protect systems and data. "Some companies equate 'little c' compliance with 'Big C' compliance which makes it hard to invest in security, because the floor serves as the ceiling as well," Mr. Palermo explained. In some industries, "little c" compliance doesn't exist, which means that "Big C" compliance is often ignored or underinvested in.
- "Big C" compliance must encompass the enterprise's compliance vision, as well as its willingness to invest in that vision. "Organizations need to be clear on the roles and interdependence of compliance and cybersecurity — and invest accordingly," Mr. Palermo said.
In the area of "little c" compliance, this means supporting the evolution of regulatory frameworks. From a "Big C" compliance perspective, organizations must push beyond regulatory mandates and develop comprehensive strategies for protecting people, systems and data. These need to be aligned with what will create value for the business and reduce risk.
"Nearly every security professional out there today is doing their best, but they still feel like they are drowning. To create a more balanced approach to cybersecurity, organizations need a clear and comprehensive "Big C" compliance program," Mr. Palermo said.
To download this on-demand webinar, click here.
To register for upcoming webinars, click here.