Cybersecurity

OPTN Provides An Example Of What Not To Do In Cybersecurity

Short on time? Listen instead.

Cybersecurity threats to your organization’s systems, networks, and data can arise anywhere. Especially when you don’t even know you have a problem because you haven’t implemented appropriate management and oversight in the form of policies and procedures. 

A recent Office of the Inspector General (OIG) audit of the Organ Procurement Transplant Network (OPTN) showed a severe lack of policies, procedures, and oversight. 

What is the OPTN?

OPTN is part of the Health Resources and Services Administration (HRSA). It is a partnership of public and private professionals and organizations that work to ensure that organ transplantation processes are optimized to bring organs to those that need them. However, until 2018, HRSA was limited in its ability to provide oversight of the OPTN. And it shows in the audit results and recommendations from the OIG.

For reference, here is the report from the OIG: The Health Resources And Services Administration Should Improve Its Oversight Of The Cybersecurity Of The Organ Procurement And Transplantation Network.

But let’s talk about why this might be a problem for YOUR organization if you are in the same situation rather than OPTN itself.

What Policies and Procedures Are

One of the most important first steps to ensuring the cybersecurity protection of your organization’s assets is to create the policies and procedures that guide that effort. They gather together the rules and requirements and help to ensure that your organization can appropriately address problems that might arise. Without them or someone making sure they are followed, your organization dramatically increases the likelihood of a threat becoming a reality.

Cybersecurity starts with policies at the topmost management level of planning and implementation. Policies define the security necessary for an organization, what it protects, how it protects it, and who is responsible for watching over that protection.
Another way to look at it would be:

  • Management (in conjunction with cybersecurity professionals and legal advisors) set a standard for the organization for security
    • That standard is based on the systems, infrastructure requirements, software and applications, and the organization’s data.
  • Management and its advisors also look at the employees and personnel working with the data and other assets to see how best to ensure they will be part of the security.
    • Cybersecurity awareness training is one of the most effective ways to help staff to understand and help with their part of this security.
  • Suppose outside vendors or business partners/associates have access to the data or systems. In that case, they, too, must be part of the security process planning and implementation.
    • They should have the same or greater training and responsibility for protecting your assets as those within your organization.
  • There are also requirements for auditing and management of the data and resources used to access or protect it.
    • Outside and internal audits should be conducted on at least a yearly basis or more often if appropriate.
    • Protection of data during intake, in use, at rest, in transit, and storage is part of your policies as well.

As you can see, there are a lot of facets to the policies level of management.

At another level, procedures are the detailed steps you and your staff must take to follow the policies listed above. Why do you need a step-by-step procedure for a policy? To ensure that everyone is doing the same thing, for the same reason, at the same time. Much like having your car worked on at a certified auto repair shop instead of a random one, a procedure details every component, how it works with the other components, and how to accomplish tasks related to that component to ensure the work is done correctly. If a step is missed because of a lack of procedure, you risk a failure of your cybersecurity measures.

How will this Affect You?

A solid effort to research and create your organizational cybersecurity policies and procedures in line with the laws and regulations for your field of work is a protective measure that doesn’t just keep your data and systems safer. It also helps to protect against fines, financial penalties, and losses due to civil suits that might arise. 

To give you an idea of what a lack of proper cybersecurity can mean to you, read our post “HIPAA Violation Costs Oklahoma State University Large Penalty.” For quick reference, almost 280,000 people were affected by a breach, and the penalty levied for that breach was $875,000!

Can your organization afford the bad publicity or the financial loss involved? Probably not.

 In case you think you can get away with just the basics of cybersecurity and purchase insurance “just in case,” know this; cybersecurity insurance providers know what it takes to provide appropriate security measures for the types of systems and data you use and they will charge you for your insurance at a rate applicable to them. They will also require that you meet minimum security standards to ensure that their profit margin is protected, which means you buy the insurance AND do the work needed in the first place. Not much savings in the end, right? 

Above and beyond that, we all know that insurance companies go through incredible gyrations to avoid having to pay anything at all in the first place when a claim is made. It is part of how they make money and secure profits from risky ventures. It is their business model.

What should you do

Start with the basics. Ensure you have the personnel or service providers that can adequately ascertain what systems and data you have in-house, what you might be purchasing or using shortly (say 5-10 years), and that you have knowledgeable cybersecurity representation in your legal department.

Next, management and your legal and cybersecurity professionals need to get together with what they have discovered about your organization and create those policies and procedures discussed above. Why management? Because without management investment and backing, your cybersecurity efforts will not have the financial and control backing it needs to succeed. A CEO or COO that isn’t totally on board with cybersecurity will potentially limit financial backing or could frustrate the process by not allowing it to move smoothly forward. 

Northstarr Recommendations 

There is no replacement for knowledge and expertise when it comes to cybersecurity. Northstarr provides a welcome helping of both our cybersecurity and IT teams. We can help you to find the best possible solution for your organization and put you on the right path to success now and in the future.

To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment.  We look forward to meeting with you!