Privacy and Security as Budget Line Items

As the majority of us are aware, recent years have been increasingly challenging in relation to cyber security. Many hospitals across the country have been victims of a hacker attack. Ransomware has become an extremely lucrative operation for cyber criminals.

When hackers target hospitals, the consequences can be devastating – especially for rural hospitals. Delayed surgeries, postponed tests and canceled prescriptions are real threats.


While more health care organizations are ramping up their protective measures to deal with the problem, no amount of investment can provide complete security. On top of this, health care systems are often complex and standard security measures like automatic logouts and two-step verification often don’t apply to health data.

One suggestion for organizations’ primary focus is on areas of biggest risk. You’ll need to determine the worst-case scenario should your information be compromised, then follow up with limiting the location where the data resides, limiting access points.

Your security concerns will need to be addressed throughout the structure and use of your data management. It no longer is enough to be concerned with firewall abilities, for a set time, it’s becoming more common to create a threat profile to truly integrate security into a system. It’s also helpful to bring in external experts for fresh input in addressing the problem. They may provide newer perspectives on threats, technology, and different experiences to the plate.


 Major categories included in a security budget should reflect key operational areas:  

       Skilled staff (salaries and benefits, consultants)

       Tools and technology (hardware and software purchases, licenses, maintenance)

       In-house operational expenses (data center)

       Contracted services (telecommunications; hosting, managed and/or cloud services)

       Other direct costs, such as travel, conferences and training


 Kevin Durkin, a CFO of Threat Stack, a cloud security company, suggests focusing on: 

 – Deciding what are the most precious pieces of your organization. Which ones are absolutely critical?

– Defining the risks as best you can, drilling down to actual numbers if possible in a worst-case scenario.

– Assessing the full return on investment. Don’t just look at your expenditure. How much can security investments save you compared to what a breach might cost you?

– Looking extensively at all your line items in your budget. While some may not appear to be directly related to security, there may be an indirect link.

– Thoroughly assessing pros and cons of tools in (or to be put into) use. What are you currently using? Are there more effective ones? What are your options? 

Some questions may not be applicable in your situation, but you’ll be well-served to delve as deep as you can into questions, and to think as creatively and proactively as you can as well.


Determining the budget you need requires more than measuring the success of past investments. It also revolves around ensuring compliance and providing proof of improvements in incident counts and risk profile to ensure that the spending will result in effective security.

Health care organizations can’t put cybersecurity on the backburner. There will always be new threats. Health IT needs to be a permanent line item.

Minimizing privacy and security risk can be overwhelming and costly. PCG’s affordable Privacy & Security Toolkit provides access to a Virtual Privacy and/or Security Officer along with a library of policies and procedures, standardized training tools, documents, forms, and templates. In addition, the library includes a Privacy and Security Risk Assessment that will guide you meeting your privacy and security needs at an affordable cost.


Partner Advertisement

Latest Posts

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about new products, updates.
Read more from our blog

Related Posts

MACRA: Big Changes

There’s a reason why the “Medicare Access & CHIP Reauthorization Act” (MACRA) is also called the “permanent doc fix”. MACRA permanently eliminates the sustainable growth