Auditor Tips: Overcome Management’s Budget Concerns

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.

“By holding staff accountable, you can protect your patients and organization more effectively.”

If you are having problems communicating budgetary needs to management, conduct a risk analysis before starting the HIPAA process. NIST 800-30 is a good risk assessment protocol to follow.It is designed to help decide what kind of budget should be assigned to mitigating risks.

At the end of this assessment, you’ll have an idea of the probability of a compromise, how much money might be lost if compromised, and the impact a breach might have on your organization.

Find a way to show how much a lack of security will cost your organization. For example, ask yourself, “if one of our systems gets compromised and leads to a widespread case of ransomware, how much will it affect our patients, hurt our ability to provide quality care, and cost our organization?” Ransomware is a very common method attackers use to exploit the healthcare system, after all.

Another aspect of HIPAA compliance is availability. If you provide healthcare services to patients, you need to be able to do so even in the event of a natural disaster. A costly breakdown in communications and access to critical records could lead to increased liability for your company during an already challenging time recovering from a disaster. A good risk analysis will help you identify areas that should be improved to ensure availability of your services in a disaster and help justify a budget for mitigating such risks.

Consider asking your accounting or marketing teams for help in delivering your budgetary needs in more bottom-line terms.

If possible, work with your HIPAA team to come up with the following information: security controls that need to be implemented, cost estimates, and how critical your team feels each security control might be to your organization’s security.