For the PDF Version Visit Here.
Scenario
A community hospital handles patient records electronically that it is obligated to protect. Like many hospitals it uses standard safeguards including encrypted databases, multi-factor authentication (MFA), and recurring employee training.
However, the hospital chooses not to implement a $500,000 AI-based intrusion detection system due to cost constraints.
Is the hospital negating its data security responsibility with this decision?
Legal Context
The HIPAA Security Rule requires covered entities to protect the confidentiality, integrity, and availability of electronic protected health information through safeguards that are “reasonable and appropriate.”
To define what constitutes reasonable and appropriate within their specific context, the organization conducts a risk assessment and determines the following:
- The probability of an advanced intrusion is low
- There is a moderate level of risk
- The cost of the proposed solution is disproportionately high given the size and budget of the hospital
- Alternative safeguards (e.g., regular audits, endpoint detection tools, data
protection training) provide sufficient mitigation
The results of the risk assessment supported the hospital’s decision to forgo the costly security tool, which demonstrated that the associated risk fell within a reasonable and acceptable threshold.
- The hospital made a choice after using a costs and benefits analysis
- The hospital followed industry standards and applied the flexibility built into HIPAA to implement security measures appropriate to its size and risk profile.
- The hospital didn’t ignore the risks, but it chose safeguards that made sense given the level of threat and the resources available
If a breach occurred, regulators would determine whether the chosen security measures met the level of protection that would reasonably be expected from a similar organization.
Key Takeaway
Healthcare organizations are not expected to eliminate every threat. A Reasonable Risk approach focuses on applying safeguards to reduce risks to an acceptable level that reflects the organization’s resources, operational requirements, and accepted industry practices.
About DoCRA
The Duty of Care Risk Analysis Standard provides principles and practices for evaluating cybersecurity risk in a way that balances harm to others with burdens on the organization. It is used by regulators, legal teams, and risk professionals to ensure risk decisions are fair, consistent, and defensible.
Learn more at: https://docra.org
About Reasonable Risk
Reasonable Risk is a SaaS platform that automates the DoCRA Standard to help organizations make defensible cybersecurity risk decisions—clearly, collaboratively, and continuously. With contextual risk scoring, dynamic dashboards, and full audit trails, Reasonable Risk turns cyber risk into business intelligence.
Visit: https://reasonablerisk.com