• E-mail
• Print
• RSS

Management buy-in won't come cheaply Four tips for bridging the communication gap

HIPAA Training Advisor, October 5, 2006

Assessing and responding to security threats is the information security officer's ongoing responsibility. Unfortunately, support from upper management for security efforts and purchases might not be as constant.

The sting of recent breaches-such as the theft of Providence Health System's backup tapes in January-is beginning to refocus management's commitment to security. However, a sea change takes time, and security professionals in small- to medium-sized organizations might still encounter a tough sell, says Kevin Beaver, CISSP, an Acworth, GA-based security consultant. Instead of waiting for a breach at your facility to get management personnel on your side, convince them now of security's importance by building a relationship with them and showing off your security successes, Beaver recommends. This means you must involve management in the day-to-day security battle.

"One of the key elements of any effective compliance plan is the involvement of senior management and the board," says Reece Hirsch, partner at Sonnenschein Nath & Rosenthal LLP in San Francisco. "You have to have a security officer who's relatively high-placed in the organization and has a direct reporting relationship [to them]."

Expand on HIPAA, translate tech talk
But once you have such a direct relationship-or if you're trying to convince upper management that you need one-how do you win them over? Try the following tips for getting management to buy into your security program:

Tip #1: Involve them. Inform management not only of large purchases but also of ongoing security successes and challenges. Although many organizations don't require internal incident reporting to leadership, it is critical, says James DiDonato, CHFP, CIA, MBA-MIS, information security officer for Baystate Health, Inc., in Springfield, MA. "The value is that you know where to direct your human and financial resources," he says. DiDonato issues quarterly reports to Baystate's senior leadership team that give general incident descriptions and statistics that indicate trends. For example, DiDonato reports statistics on the amount of spam Baystate receives because he wants management to understand it's a growing problem that requires new tools. As Baystate implements these tools, DiDonato hopes to show their effectiveness through continued reporting.

Tip #2: Make security about more than HIPAA. Negligible enforcement of the security rule by CMS and a general perception that HIPAA is "done" can compound the problem of obtaining management buy-in. If this is the case at your organization, don't place all your eggs in the HIPAA basket. Instead, emphasize that many other state and federal laws and standards can apply to organizational security, Hirsch says. For example, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, the Payment Card Industry Standard, and state security breach notification laws might apply to certain HIPAA covered entities. "It's a matter of educating board and management. As soon as they realize the stakes, I think they'll see that security is an important organizational initiative," he says.

Tip #3: Speak their language. Getting management to realize the security stakes means getting them to understand the risks, your responses, and the need for new resources. To do this, translate technical jargon into business-oriented talk. Beaver gives the following examples of how to do this:

• Tech talk: "Exploitable security hole."
  Business translation: "A hacker could take advantage of a missing software update."
• Tech talk: "We need 256-bit AES [advanced encryption standard] for our database."
  Business translation: "We need to configure the electronic health record system so that one user cannot read another's information.
• Tech talk: "Let's use WPA2 [Wi-Fi protected access] with strong encryption or a VPN [virtual private network] for wireless network hotspots."
  Business translation: "Let's secure mobile communications and make sure that all communications-regardless of where the user is-are locked down."

Tip #4: Make allies. Winning over members of other departments can also help when it comes time to make your case to management. Ally with operations or finance staff who can help you better estimate the return on investment of previous or upcoming security purchases. Also, avoid making enemies with upper management. To do so, educate without using scare tactics, Beaver says. The recent spate of security incidents might make it tempting to wave horrifying headlines in your board members' faces, but this is unlikely to be a successful strategy. Instead, give the facts about recent breaches within the healthcare industry and explain how they apply to your organization.

Editor's note: Adapted from "Management buy-in won't come cheaply," Briefings on HIPAA, September 2006.

• E-mail to a Colleague
• Print
• RSS
• Archive