Has your organization built a culture of risk management? Before you answer, let’s get specific.

The word culture is an overused term, and many times we don’t clearly articulate what we mean when we bring culture into the equation.

It’s a nice placeholder term when we want to express that something should be a priority. As a result, true “culture” movements ever move beyond committees and brainstorming sessions. With that in mind, here is a high-level roadmap for ensuring that protecting sensitive data is a part of everyday life within your organization:

1. Get closer and be committed.

If you agree that protecting data and managing risk should be priorities for your organization, then obviously you should be more involved and engaged in the process of evaluating your current efforts and managing your future actions. And it must be clear to everyone that you are taking this matter very seriously. In the case of Home Depot, former employees reported that senior leaders repeatedly ignored their warnings that the company’s security was lacking. They claim that executives brushed them off by saying, “We sell hammers.” If it isn’t important to you, it won’t be important to them. And if you don’t keep it top of mind and front and center, no one else will. Get it on the agenda!

2. Take a balanced and proactive approach.

The best way to do the right thing when it comes to protecting sensitive data is to have a full grasp on potential threats and firm plans for mitigating or eliminating risks. A thorough security risk analysis, followed by a systematic risk management plan will not only help you stay in good graces with OCR, it will help you be proactive in guiding your organization and limiting the likelihood and impact of adverse events related to information privacy and security. Along with being proactive, you must take a balanced approach. Ensure equal time and emphasis is dedicated to policies, procedures, people and safeguards.

3. Equip and empower your workforce.

As part of the balanced approach mentioned above, your employees play a big part in your ability to keep data safe. While it’s true that hack attacks and other external threats are on the rise, the vast majority of data breaches actually occur because of people. A combination of malicious and unintentional actions by members of your workforce is the greatest threat to the security of your data.

As a result, you need to equip your information security professionals to do their job effectively, including additional budget or bandwidth as needed to adequately address prioritized risks. You also need to invest in data security training for anyone who comes into contact with sensitive health information.

All along the way, you need to make sure that employees understand the importance of protecting sensitive data.

They need to feel like it’s part of their day job and see the direct tie it has to the bottom line. They also need to feel empowered to speak up when something’s not right and have well-defined and accessible channels for providing feedback. In the end, your workforce will either be your greatest asset, or your worst enemy. It’s up to you to determine which will be true for your business.

The growing expectation is that C-Suites and Boards are paying more attention to safeguarding sensitive information. The U.S. Securities and Exchange Commission recently called on boards to be more involved in “managing cyber risks and more adaptable to changing risks.”

At the end of the day, this is a conclusion that forward-thinking, high-performing organizations will reach on their own.

Click here to access your copy and learn more about maturing your own information risk management process

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.