This is a snippet of an article published on fortherecordmag.com

Those in the health care industry regularly face challenges such as budgeting, patient privacy, and compliance. IT and security budget priority is difficult to quantify for return on investment—so how do health care professionals ensure patient privacy and security on a limited budget or when services are outsourced?

Extend the Compliance Boundary
Outsourcing security efforts is a common practice. Vendors are still required to follow HIPAA regulations as health care business associates. However, concern rises from how thoroughly outsourced vendors monitor private records. The institution, such as a hospital, is not only at risk in the event of a security breach of their location, but also has vulnerabilities with their vendors.

Health care organizations typically become aware of potential vulnerabilities after another institution publically announces a breach. This generally leads organizations to wonder whether a similar breach could happen to them, and raises questions of preparedness. While executives might assume their IT team is prepared, there are times when the chief information security officer doesn’t have the budget or the business exposure to their institution’s executive board to properly quantify the potential risk.

Organizational Gaps
While your organization may have incident response plans, they can be easy to deprioritize. A fitting place to begin is by encouraging your team to perform incident simulations and self-audits.

Incident response exercises help organizations assess who should be involved if a security breach occurs and how to contain systems involved in a breach. Such exercises will likely identify gaps within the incident response plan and demonstrate whether organizations have the tools needed to isolate the simulated issue and the ability to pinpoint what data were breached. Further, critically reflecting on your team’s simulated scenarios afterward has a direct impact on the quality of future incident response exercises and general preparedness.