The last few years have thrown many curveballs, like Covid, cyberinsurance changes, and a record number of attacks, at healthcare IT and Security teams. During these trying times, many teams were understaffed and resource-constrained, trying to put out daily “fires” and helping maintain efficient patient care. As a result, some fundamental elements of the organization’s security program, such as conducting risk assessments, may have been put on the back burner. According to the IBM Cost of Data report, healthcare data breaches broke through the $10M ceiling for the first time this year. In the same report, healthcare claimed the top spot for the greatest breach-related damages for the 12th consecutive year. Cybersecurity Awareness Month and your risk assessment program should be reviewed as you look toward new projects in 2023.
Risk Assessments in Cybersecurity
Risk Assessments (RAs) are a point-in-time review of processes and controls to protect sensitive information and critical resources within the organization’s environment. As your environment changes, so do your risks. Although that simple fact sometimes gets lost in the noise, it’s advisable to routinely revisit your RA throughout the year to ensure progress on remediation and help identify any new potential risks. Assessment of risks should be a continual process that includes monitoring for potential exposure from both internal and external sources. Changes to the operational environment (e.g., replacing a security tool, interfacing with a new vendor, or expanding physical locations) inherently introduce risk to the organization. Such changes should include an assessment to identify potential risks that accompany the change. Still, it’s important to emphasize that regardless of how the RA is carried out, making progress toward closing gaps is critical. Not following through on remediation efforts increase the likelihood of a cyber incident and may impact decisions from governing bodies. Cyber insurance providers have also increased requirements on healthcare organizations, often with letters of assertation affirming diligence in identifying and remediating vulnerabilities.
Cybersecurity maturity is a journey, and RAs can serve as excellent guideposts. Knowing where you are and the risks around you, then planning your path forward improves your chances of success. There are many ways to tackle RAs, by choosing frameworks like HIPAA, NIST-CSF, etc., or guidance from organizations like 405(d) and Fortified Health Security. But again, as a reminder, RAs are a snapshot in time; as new threats emerge, a routine review of your current cybersecurity posture is recommended. Suggested items for an evolving RA checklist include: monitoring OCR and HHS threat trends, early reviewing of cyber insurance renewals, and interacting with other healthcare IT leaders at conferences or events like Fortified Roundtables.
Fortified’s Risk Assessment team uses many of these processes when working with healthcare organizations. Additionally, Fortified’s team focuses on building context and intelligence around an evidence-based assessment. In cybersecurity, context is vital to gauge the amount of actual risk to your organization. Taking a deeper dive into the post-RA materials and not just viewing them as just report-outs is a big step towards a more mature cybersecurity posture. In the post-RA period, the focus should be on prioritizing and planning the remediation of risks found. Remember, finding an issue and leaving it unremediated can have negative impacts. Having the people and resources in-house is a luxury many healthcare organizations can’t support. When working with a third-party assessment firm like Fortified, additional assistance can be brought in to support the people, processes, and controls needed for the project.