Are security teams blocking innovation in healthcare?
Startup companies don’t always factor in enough security when they build solutions, and that may raise red flags. Flexibility is essential.

In the race to be “the first to introduce a new solution,” the old mindset was, “Get to market and we can secure it later.” That is no longer a viable option because these new applications or systems can create unknown risks.
Cybersecurity is a hot topic. It seems like every day in the news, we hear about data leaks, newly discovered vulnerabilities and hacking – all can cause embarrassment, reputational harm and cause a financial impact to the unfortunate victims.
That is why it is important to assess the security of any new product or service before it is introduced into an organization’s environment.
Startups and security
Startup companies, typically formed by inventors or entrepreneurs, can become frustrated when the security team from large healthcare organizations (provider and health plans) present them with their lengthy questionnaires (ranging from 250 to 300 questions), used to assess the security of a product or service offering. These questionnaires are often rooted in older, traditional computing environments and do not address today’s virtual reality of innovative solutions and cloud-based environments.
Often, the questions are poorly written, and only allow for basic yes or no answers, when in the business world, things are not always so binary in nature.
For example, the question, “Do you physically allocate a separate sub-network for public access to the internal network?” assumes there is a traditional internal network. These questionnaires can be the roadblock to innovation in healthcare because if the startup cannot provide the answer expected by the security team, the team may deny the new application or system from being used by their organization.
Additionally, some healthcare organizations may require some type of certification or attestation to various security frameworks, which may be challenging for a startup to achieve, especially in the first couple of years of existence.
These frameworks can include the following:
- • The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a way for organizations to demonstrate that information resources within their environment meet various frameworks, standards and regulations that are required in healthcare.
- • International Standards Organization (ISO) 27001 is an international standard used for managing information security.
- • The Systems and Organization Controls 2 (SOC 2) is used to evaluate the internal controls and operational practices used by organizations to protect their customer data.
Certification, attestations and questionnaires are evidence based; therefore, they are focused on written artifacts such as policies, procedures, plans, forms and the like, which will likely be lacking in a startup, compared with a more mature, larger company. And on the downside, information technology staff and entrepreneurs are not typically known for being experts at documentation.
Besides, while documentation is important, there is not a lot of evidence to demonstrate how a cyber attacker was thwarted simply by having a set of well-written policies. This lack of documentation may be preventing an innovative solution from seeing the light of day in a healthcare setting.
Because of these factors, the security team at the healthcare organization or the bureaucrats working in the contracting department may be a roadblock to innovation. Some even prevent running a pilot program if the vendor cannot successfully get through the vetting process, which includes the security questionnaire gauntlet.
Keys to information security
Confidentiality, integrity, and availability (CIA) has been referred to as the three-legged stool of information security. Integrity is vitally important for healthcare, and yet, of the three legs, it is the one concept that is the least addressed when it comes to security safeguards and controls.
This is risky. As we introduce artificial intelligence into newer technologies, which may be relied upon for helping to make medical decisions, how can we ensure the integrity of the data being presented? If anything, security teams should be more focused on the data integrity of a new solution.
Have a balanced approach to vendor vetting vs. the possible good to patient care by allowing innovation – understand the organization’s risk tolerance or risk appetite.
For companies offering innovative solutions to providers, here are some keys:
- • Include data privacy and security in the design phase. The General Data Protection Regulation (GDPR) uses the concept, “Privacy by Design,” meaning data privacy and security controls should be at the forefront of solution design rather than an afterthought.
- • Be prepared to at least meet regulatory requirements in healthcare, primarily HIPAA, although complying with the HIPAA Security Rule (written in 1998 and finalized in 2003) does not mean the solution is secure from today’s cyber threats.
- • Assign someone with responsibilities for data privacy and information security and keep them involved in each step – from product design, deployment and sales.
- • Strike a balance between convenience (ease of use) and security. What’s convenient for doctors and clinicians may also make a technology solution easier for hackers to solve.
To enable a more wholistic approach to assessing new solutions, here are some suggestions for clinical, operations and security teams:
- • Determine how important the new solution is for fulfilling the organization’s mission. For example, does the innovative solution have the potential to revolutionize patient care or does the proposed solution just make performing a mundane function more convenient?
- • If questionnaires are being used, assign a weighted value of each question in a questionnaire so that not all questions have the same level of importance. These should be less of a factor when determining operational risks.
- • If attestations or certifications are required, work with the vendor on a reasonable timeline for achieving the requirements.
- • Consider allowing a pilot program to at least determine if the solution is viable and if the risks are at an acceptable level.
Have a balanced approach to vendor vetting vs. the possible good to patient care by allowing innovation - understand the organization's risk tolerance or risk appetite.
The bottom line is that no business runs risk free. The goal for a security team should be to assess risks and help the executive management team make an informed business decision.
By Tom Walsh, CISSP, is founder and managing partner of tw Security.
Return to the May 2023 COVERstory.
