Why digital health organizations need to put security concerns top of mind
With access to a vast trove of protected health information, digital health organizations must keep security concerns top of mind to meet the expectations of a wide range of stakeholders, from customers to regulators. Whether your organization is a startup, like a new wellness app, on a more limited budget, or an established digital health SaaS provider, the data you collect and analyze is often subject to various compliance requirements.
Your ability to demonstrate that you are handling data securely is essential to gaining the certifications and attestations that help you attract customers, provide them with confidence and assure your practices are in compliance with, at a minimum, security best practices.
Common misconceptions
Here are some common misconceptions about the security of an organization that digital health organizations must get past to meet their obligations:
- Believing you can appoint just anyone in your organization to help you meet your cyber and compliance needs: Your organization needs to invest in someone, whether full-time or fractional, who understands data security, especially given the sensitive information digital health companies often receive and store. With this expertise, they can lead the charge to build out your overall program and help ensure you are meeting the right compliance requirements.
- Hosting your systems in the cloud means you do not have any security responsibilities: No matter where your data sits, your organization owns the responsibility to help ensure that its systems and data are secure. So even if your data is in the cloud with a third-party vendor, your organization needs to enforce and control compliance with a comprehensive cyber program that includes access control, vulnerability management, risk assessment/management and incident response capabilities.
- Security and compliance are never a one-and-done or set-it-and-forget-it move: You need to keep your pulse on emerging threats and the changing regulatory environment. Checking compliance against regulations and security frameworks is an ongoing practice. Your overall program reviews should be done regularly, and it often helps to bring in an independent perspective.
Getting ahead of security and compliance from the very beginning is critical. The easy route is to find what framework(s) are important to your customers and stakeholders as you start to build out your security compliance program. But of course, it’s never too late to implement a program if you overlooked these steps at the start. It’s all about commitment to security no matter when you begin your endeavor.
While self-assessments are possible, it can help build your confidence in your security program to bring in an independent perspective by working with experienced security professionals who, every day, see the best (and worst) practices throughout their client base.
Certifications such as HITRUST and ISO or independent SOC audit reports are also vital in gaining the trust of your leadership team and your prospects/customers. For digital health companies, in many cases, an insurance payor or a hospital system will want that assurance regarding your compliance with HIPAA and other regulations before committing to partner with you.
Avoid a Catch-22
In many cases, digital health startups are caught in a Catch-22 with a pay-to-play type situation. They can't go to market with their services or sign with certain prospects/targets because they don’t have these certifications or attestation reports. Ironically, until they build their customer base, they cannot generate enough revenue or obtain sufficient funding to afford to invest in the costs of the preparation and required third-party audits/assessments.
The ways organizations navigate this conundrum is through a gradual, multilevel approach. For example, starting out with an organized, thoughtful assessment against the HIPAA security rule to identify your gaps can be a great, inexpensive way to start. Next, you can move on to getting a third-party independent audit/assessment, which leads to a certification or attestation report. These security frameworks vary in size, complexity and requirements, so your third-party provider can help you decide which is the proper assessment (to meet your customers’ needs) at the right price point.
Leadership teams need to understand the importance of security up front. Investing in the right people to oversee your efforts, whether they’re an experienced third-party professional or someone who works directly for your organization who understands security, is crucial.
How Wipfli can help
Wipfli’s team has the experience and breadth of services to help you from start to finish, including:
- Readiness/gap assessments against various security frameworks.
- Remediation and cybersecurity services, including vulnerability and pen testing, incident response planning, disaster recovery and business continuity.
- Audits and certification assessments such as SOC 1, SOC 2, HITRUST and ISO.
- vCISO and outsourced managed services.
Contact us today to learn how we can help ensure your organization has the right security programs in place. Sign up to receive additional information in your inbox or continue reading: