FTC SAFEGUARDS & Your Healthcare Facility
Who’s on first?
Have you ever heard that old comedy routine? It’s funny to listen to comedians create confusion with wordplay, but it’s not so funny when you’re trying to figure out something like the brand-new FTC Safeguards Rule that kicked into effect on June 9, 2023.
I’ve discovered that there’s confusion regarding who it applies to and what changes may need to be made to a security program. So, let’s talk about the new regulation and let’s help you figure find a path forward for your organization’s data security.
First off, are you covered by the FTC Safeguards Rule?
The FTC expanded their definition of who they call a “financial institution”, and a lot of organizations are being specifically called out such as mortgage lenders, finance companies, and even mortgage brokers themselves.
If you’re saying, “My healthcare company doesn’t fall under the guidelines. I guess I don’t have to think about the FTC Safeguards, right?”
WRONG
If you aren’t covered by FTC Safeguards at all, there are still two good reasons for still taking action:
1. Your clients/customers and organizations you do business with may be covered and thus they’ll be more confident working with you if you take action.
2. These safeguards aren’t going away, and, in fact, they may continue to redefine who is covered. Taking action now before you’re required to do so simply means you’re ahead of the game, and that your organization is meeting high standards of safety.
Sound a bit overwhelming? No worries. I’m going to explain some of the most significant elements of the FTC Safeguards, and at the end of this blog, I’ll tell about more ways I can help you.
So, let’s take a look at 7 elements of the FTC Safeguards that can help you take your healthcare company to a higher security level. These elements include:
· Element 1: Organizations must designate a qualified individual to run their security program. This could be someone on your staff, or the person or organization that runs your IT. Just because an organization is small doesn’t mean they are exempt from security.
· Element 2: Security must be evaluated on a regular basis to look for internal and external security holes and to evaluate the state of security and assess any controls in place to address those risks.
· Element 3: Organizations must put controls in place to address security holes. Knowing about the gaps in your security isn’t good enough. At a minimum, organizations will be expected to have a written security program that addresses security gaps identified from a risk assessment.
· Element 4: Organizations must regularly monitor security effectiveness. FTC Safeguards expects organizations to regularly test or monitor the effectiveness of the safeguards they have in place. Since hackers are constantly devising ways to break through security, businesses will need to continually test against the security measures they have in place.
· Element 5: Organizations must have policies and procedures to help personnel adhere to their security program as well as written policies and procedures around securing their consumer data.
· Element 6: Organizations will have to adhere to standards for protecting the confidentiality, integrity and security of their consumer data. This means organizations must ensure their security controls adhere to the FTC’s standards in terms of protecting data.
· Element 7: And, of course, organizations need to ensure continual improvement of their program based on regular testing. They will then be expected to make adjustments to their security program as needed.
MAJOR TAKEAWAY: You may feel like your healthcare company doesn’t fall under the Safeguards, but using these elements can help you take your security to a higher level and with hackers getting more sophisticated by the day, that’s a very very good thing.
But what if you don’t store data at all? Maybe you use a third party to store your information.
Well, guess what?
Whether data is stored onsite or in the cloud, it needs to adhere to similar security standards. So, even if your data is being hosted by a third party off site, you are still responsible for it.
MAJOR TAKEAWAY: It’s not about WHERE your data is stored. The responsibility lies with the organization that owns the data.
SO, WHAT’S THE BOTTOM LINE?
The FTC Safeguards will affect the majority of U.S. businesses in some manner, and even if it’s just an issue of having clients who fall under it, you’ll want to be prepared. That means that even if you aren’t explicitly covered, this is a good baseline security framework to follow to make sure your organization is not the lowest hanging fruit.
HOW CAN I HELP?
I know cybersecurity. I know how to help healthcare companys like yours. I know the FTC Safeguards.
Why should you play a game of “Who’s on first?” with the future of your healthcare company when you can make one phone call and get help?
Let me answer your questions and give you peace of mind. I can also tell you about how a virtual Chief Security Officer (vCSO) can take your residential construction company to the next level.