We’ve seen this same scenario with a lot of organizations: A company is being assessed for SOC2 or is going through a security assessment with a potential client. The team rushes to build a security program, create administrative policies and security controls before a deadline, anything needed to close the deal or get passed the assessment. High security standards are implemented, but what happens one year, or even one month later?
When companies conduct risk assessments and healthcare providers assess vendors, we see notable security evaluation, but how frequently does this occur. HIPAA requires that risk assessments are conducted on an annual basis, but this is only a single point in time assessment. It does not reflect security at any other time other than that day. Security and compliance is becoming increasingly more important for startups selling into enterprise healthcare.
Created Security Policies Are Unrealistic
One of the biggest reasons why security policies are not followed, is if they set unrealistic standards for the organization. A small startup with one staff member conducting security operations, will probably not have the budget for a penetration every 6 months. Similarly, this company may not have the staff to perform a five-person review of every security event. Security processes from large enterprises do not necessarily fit small companies. Organizations developing security programs need to be realistic in how they will execute on their security programs. Policies need to understandable to organizations and focus on the steps for performing an action rather than just creating legal paperwork.
No Security Team Leader
Although HIPAA requires that organizations designate a security officer and privacy officer, many startups are very passive when in comes to managing security and compliance programs. Without a staff member defining the security plan, delegating tasks, and evaluating security efforts a security plan falls flat. Even small teams need a point person who can make a final decision on security objectives, standards, and workflow. Without this person, teams end up spinning their wheels and not able to set and enforce security controls.
Organization Policies Are Not Flexible
Organizations are constantly changing. Employee headcount changes, new technologies are implemented, and the amount of sensitive data and infrastructure grow. As all these areas continue to grow for an organization, administrative policies and technical security controls must also grow and adapt. Startups and smaller healthcare companies may have a single staff member that manages security and compliance requirements, but as teams and products scale, policies should be revisited and revised. Administrative policies must be flexible, not set in stone.
Teams Rely on a Single Vendor for All Security Needs
Many healthcare organizations will turn to a solution that is “HIPAA compliant” or has a HIPAA compliance badge. Many different technologies and solutions can be configured in a HIPAA compliant manner, but it is up to the company to ensure that they are fulfilling all security responsibilities. Just signing a Business Associates Agreement (BAA) does not automatically make a healthcare vendor HIPAA compliant. Teams must be sure to set administrative policies, create technical controls, and perform periodic reviews and security tasks.
Policies Are Not Enforced Through Automated Controls
Once teams have set administrative policies it is time to implement and manage technical security requirements, such as managing backup and disaster recovery, collect audit logs, and implementing encryption standards. Policies set the guidelines for how to conduct these processes. For small companies, some of these processes may be manual, but as companies grow, these processes become increasingly complex. When a small security teams starts managing daily backup for 100+ cloud servers without automation, it is very possible mistakes will happen or security options are missed. Automation is essential for scaling security processes.
Startups Should Focus on Proactive Compliance
Startups have limited resources and are typically focused on product development and innovative patient outcomes rather than security and regulation. Nonetheless, building a robust HIPAA compliance security program helps organization condense the sales process with healthcare providers. Healthcare companies that provide defined and actionable administrative policies and technical safeguards are more trusted by hospitals and healthcare executives. Solutions such as the Dash Compliance Automation Platform provide organizations with an easy way to define and enforce compliance controls. Ultimately it is up to companies to build proactive security programs that grow and scale with the organization.