Don’t Be Penny Wise and Privacy Foolish

“We Can’t Afford Security and Privacy!”

Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs for information security and privacy not only for compliance reasons, but also to mitigate risks to the business. He seemed a bit short with me when he approached.

Him: “I wish you, and others like you, would stop preaching this security and privacy nonsense! Such actions bring no value to business, and simply are a drain on our budget.  We cannot afford security and privacy investments!”

Me: “How much do you budget for your fire alarms, sprinklers, exit doors and door locks?”

Him, looking puzzled: “Why does that matter to this discussion?”

Me: “Do these investments bring value to your business?”

Him: “Well, yes and no. They are a business necessity for safety, and we’d face steep penalties from OSHA if we didn’t have them.”

Me: “Well, you pretty much described why you need to invest in privacy and security, which…”

We continued our discussion over the conference coffee table.

This isn’t the first time I’ve heard similar sentiments. There have been many other times I’ve faced opposition during the past couple of decades. For example, a couple of years ago I had some energy industry lawyers, who did not like the activities I was doing for privacy in the smart grid, try to persuade me (and not in a friendly way) that the smart grid did not create any new privacy issues. “We have been protecting customer data for decades. We will continue to do so; nothing has changed because of a smart grid,” said one. Another said, “We are following all the privacy laws. There is nothing more we need to do.” And a third said, “Our customers want our energy services. Energy servicing does not involve any PII, therefore, we must meet the demand of our customers, and there are no privacy issues you should be alarming the public about.” Sorry, I those sentiments do not prove anything about privacy not being involved with energy delivery through the smart grid. If only it were that simple.

Last week I was asked about the many cash-strapped hospitals and clinics (especially public ones) that say they do not have money to invest information security and privacy efforts. They thought it was unreasonable and unfair that they would then risk big fines from the Department of Health and Human Services (HHS) for non-compliance with HIPAA, and also potential suits from patients for things that happened as a result of inadequate and lacking information security controls. What would be fair to the patients if their information was insufficiently secured and as a result breached, used inappropriately, or resulted in having decisions made about their healthcare treatments that resulted in injury or death?

Considering Healthcare In Particular

Let’s consider those hospitals and clinics saying they cannot afford information security and privacy controls.  I work with many such providers, and I’ve found that those individuals filling the information security and privacy responsibility roles generally see the need for more budgets in these areas, but they often have a hard time convincing the financial officers and their Boards of the significance of information security and privacy. This is a challenge in the majority of hospitals and clinics from what I’ve seen over the years. Most of the chief financial officers (CFOs) and Boards also truly don’t seem to understand the scope of effort necessary for effective information security and privacy protection, along with a wide range of compliance requirements, so they tend to drastically underestimate the resources (manpower, time, dollars) that actually are necessary to be effective. Hospitals, clinics, and healthcare providers of all types, must view the health of their patients as including the security of their patients’ information, and applied privacy protections for how it is used and shared.

Hospital Boards and Directors need to have a change in mindset; too many view information security and privacy safeguards as something unnecessary to their business, and so an unnecessary expense. This is the same mindset many had decades ago about investing in fire alarms, sprinklers and safety exits. Those types of safety investments are now simply accepted and understood to be a necessary cost of doing business, as well as necessary for the safety of others.


In this technology-saturated age, businesses of all kinds, including hospitals, must accept that implementing information security and privacy safeguards is a necessary cost of doing business. If they don’t implement such controls not only are they putting their patient data at risk of unauthorized access, but they could be putting the very health of their patients at significant risk. Then, add to these business critical reasons, the additional regulatory fines and penalties that could be applied should make it a no-brainer for ensuring appropriate safeguards and privacy protections are in place.


Cost Effective Compliance

“So if money is tight, where should organizations focus their efforts first? If they do a risk assessment, but have no money to mitigate the risks they find —then what?”

Doing a risk assessment and then doing nothing to mitigate risks is not only an exercise in futility (why do a risk assessment if you don’t plan to do anything as a result?), but it also would likely be considered as “willful neglect” for healthcare organizations, which could garner many times’ larger non-compliance fines and penalties. In any type of organization it could be viewed as reason for a wide range of sanctions, in addition to possibly lawsuits.

In all types of organizations, knowing where risks to patient, customer, employee, and really all types of personal information, are of utmost importance.  Demonstrating appropriate due diligence to mitigate the risks in ways that are feasible while also meeting compliance, is not only prudent, it is necessary to avoid non-compliance fines and to prevent costly breaches and the associated penalties.  Compliance activities are a fraction of the cost of the negative consequences from non-action, and are also in the best interest of customers, employees, and patients (both data-wise and health-wise).


There are many things healthcare providers, as well as all of their business associates (BAs) and their subcontractors, can do:

  • Use some of the free resources from the HHS site. For example this manual provides great guidance.
  • Many states offer free resources to healthcare providers.
  • Use the services that are customized for small and medium sized (SMBs) hospitals, clinics, insurers and BAs. Most HIPAA vendor solutions were really created to meet the needs of a large organization, but yet are also marketed to SMBs. I created my Compliance Helper services so that there would be a low-cost but effective solution that SMB providers, insurers and their BAs can use to effectively meet compliance protect information. I saw firsthand after doing over 200 BA security and privacy program audits that such a service could be of great benefit to all those SMBs.

There are also resources available to SMBs in other industries, beyond healthcare.


Actions to Take Now

Here is a list of actions all organizations should be able to take now, regardless of their budget, if they haven’t already to address their information security and privacy risks, and to meet their various and wide range of compliance requirements:

1)    Establish information security and privacy policies. Every organization needs these.

2)    Perform a risk assessment. SMBs can get help to do cost efficient risk assessments; many boutique consulting firms specialize in this.

3)    Address the identified high risks. Some of the more common ones include:

  1. Establishing procedures and technologies for mobile computing devices to support the associated policies. A LOT of breaches occur because such devices are not properly protected.
  2. Establish procedures, practices, and technologies for the disposal of information in all forms. A LOT of breaches, and huge fines, have occurred as a result of improper disposal.
  3. Implement encryption for personal information (e.g., PHI, PII) and other confidential information that is sent via email and stored on mobile devices.  A LOT of breaches, and huge fines, have occurred as a result of data not being encrypted. There are many inexpensive and effective encryption solutions now available that even the smallest organizations can afford.

4)    Provide training and send ongoing awareness communications your personnel. Not only is this a compliance requirement under a wide range of regulations, industry standards and contractual responsibilities, but huge numbers of security incidents and privacy breaches occur because employees and contractors simply did not know how to appropriately safeguard and handle PHI. There is much available for SMBs from the HHS site and various industry groups. Plus, I provide free monthly Privacy Professor Tips messages that many organizations use to meet their awareness requirements, and I provide affordable training for organizations of all sizes.

5)    Identify and document/inventory all your vendors and contracted entities that have access to your information assets (e.g., BAs), and then make sure those vendors have the appropriate controls in place, and provide a minimum level of oversight to help ensure that their mistakes do impact you. You will ultimately share responsibility and liability for the bad things that happen to the information you’ve entrusted to your vendors, and the vendors’ subsequent incidents and breaches. For example, the HHS has made clear CEs will bear some responsibility and liability for, based upon each situation.

All of the above actions take more human sweat/time equity than hard cash.  SMBs must invest their time in implementing information security and privacy requirements even if they don’t have a lot of cash to invest.

Bottom line for organizations of all sizes…

Business leaders, from the largest to smallest and in all industries, must change their mindset about information security and privacy. This nonsense about not being able to afford information security and privacy is similar to saying there is no money for fire extinguishers, fire alarms, locks, insurance, or any other type of business expenses that have been accepted as simply necessary for being able to keep a business functioning.



This post was written as part of the IBM for Midsize Business ( ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.


tumblr visitor

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply