2. New Insurer Mandates Make Incident Response a Wider Priority
Cybersecurity insurance policies can reduce the financial impact of a security incident in healthcare; however, with the ever-growing threat of ransomware and other attacks, insurance companies have become less willing to foot the bill for customers that aren’t taking precautions.
This reluctance can lead to one of two outcomes for organizations: Either they will not qualify for coverage if they don't have certain proactive measures in place, or they will pay higher premiums.
For some organizations, those consequences have drawn the attention of finance departments or other upper-level executives who previously did not have a hand in security. That means healthcare IT professionals should be prepared to defend their incident response plans if they come under the spotlight with new stakeholders.
3. Evolving Health IT Requires Governance and Security Documentation
The pace of change within the healthcare industry also reinforces the need for formal security policies and procedures. For instance, even before the COVID-19 pandemic accelerated cloud adoption and telehealth programs, providers consistently looked to digital innovations to deliver care and improve patient outcomes.
Nearly every technology change that healthcare organizations make can affect incident response planning. CDW’s Lea notes that even if an organization is just switching vendors for its emergency medical record system, it should have a clear governance framework in place. “Who's going to have the ownership of it? How is it going to be managed? All of this needs to be documented ahead of time,” she says.
Mergers and acquisitions, which are common in healthcare, represent another area where documented security policies and procedures are incredibly important.
“We need to test those new environments before we add them,” Lea says, and a thoughtfully designed and executed incident response program helps ensure no stone is left unturned.