Why Healthcare Startups Fail to Execute on Security Plans
We’ve seen this same scenario with a lot of organizations: A company is being assessed for SOC2 or is going through a security assessment with a potential client. The team rushes to build a security program, create administrative policies and security controls before a deadline, anything needed to close the deal or get passed the assessment. High security standards are implemented, but what happens one year, or even one month later?
When companies conduct risk assessments and healthcare providers assess vendors, we see notable security evaluation, but how frequently does this occur. HIPAA requires that risk assessments are conducted on an annual basis, but this is only a single point in time assessment. It does not reflect security at any other time other than that day. Security and compliance is becoming increasingly more important for startups selling into enterprise healthcare.
Created Security Policies Are Unrealistic
One of the biggest reasons why security policies are not followed, is if they set unrealistic standards for the organization. A small startup with one staff member conducting security operations, will probably not have the budget for a penetration every 6 months. Similarly, this company may not have the staff to perform a five-person review of every security event. Security processes from large enterprises do not necessarily fit small companies. Organizations developing security programs need to be realistic in how they will execute on their security programs. Policies need to understandable to organizations and focus on the steps for performing an action rather than just creating legal paperwork.
No Security Team Leader
Although HIPAA requires that organizations designate a security officer and privacy officer, many startups are very passive when in comes to managing security and compliance programs.
Originally published at https://blog.dashsdk.com.
