No matter the size or scope of your healthcare IT practice, it is essential that you mitigate cyber risk to protect your practice and your patients. The specific IT and cybersecurity needs of each practice will vary, but the reality of healthcare cyber threats impact every practice.
Healthcare cyberthreats continue to grow and evolve. In recent years, the move toward cloud-based computing, remote patient monitoring, telehealth, and use of more technology in general have introduced new security complexities. Additionally, healthcare continues to be a top cyber-attack target. This is due to the fact that healthcare organizations possess so much more high-value information to cyber criminals than other businesses. (For example, stolen health records may sell for 10 times or more than stolen credit card numbers on the dark web).
As security threats and the consequences of those threats evolve and expand, cybersecurity should not be viewed solely as an IT issue, but rather as an overarching strategic priority for your practice. By prioritizing cybersecurity, you minimize security-related impacts to patient safety, risk management, business-continuity, and your practice’s financial health.
Whether you have an internal or external resource managing your practice’s data security or are just getting started on your cybersecurity journey, a risk assessment is a great place to start to identify:
- How to optimize your investment in cybersecurity
- Where your practice is vulnerable and how to close those gaps
- How to prevent HIPAA fines, OCR audit findings, and data breaches
- How to make your EHR and other systems more secure
What Exactly, is a Cybersecurity Risk Assessment?
A cybersecurity risk assessment is an analysis of your organization’s cybersecurity controls. It can help you understand, manage, and mitigate all forms of cyber risk, including data breaches and hacks. It can also give you a high-level view of your network’s vulnerabilities. An assessment can vary in depth from a very cursory review of a specific system to an in-depth cybersecurity audit of your entire network. Regular cyber security risk assessments should be part of every healthcare practice’s risk management strategy and data protection efforts. By conducting regular cybersecurity tests and assessments, you enable your practice to uncover and fix vulnerabilities before they are exploited.
Why Does my Practice Need a Cybersecurity Risk Assessment?
HIPAA compliance requires medical facilities to conduct a security risk analysis at least once per year or any time changes are made to security procedures. If your practice is small to medium sized, you may think that you do not face the same level of risk as enterprises when it comes to cyber-attacks. However, smaller practices often have lower defenses in place to protect them due. 30% of U.S. small businesses have weak points that bad actors can exploit. Additionally, the cost and impact of security threats can be much greater for smaller organizations. In 2021, the average cost of a healthcare data breach rose to $9.3 million per incident and it took an average of 212 days to identify a data breach (and another 75 to contain it). This not only causes business disruption and revenue losses from system downtime, but also diminishes your practice reputation and patient trust. By taking time to assess your security vulnerabilities and build a plan to address them, you help protect your practice and your patient’s data from these impactful losses.
How to Approach your Risk Assessment
Though they will vary from practice to practice, every cyber security risk analysis should involve:
A defined scope based on your practice’s objectives
Before you begin a cybersecurity risk assessment, it is important to define the scope of the assessment. Start by taking stock of all of your hardware and software systems. The assessment should cover any practice-critical system where protected health information is stored (likely your EHR and any systems involved with your cloud computing) and the people and processes surrounding those systems. The scope of your analysis should include:
-
- Vulnerable points most likely to get hit by attackers
- Security policies and procedures
- Where you data backups are stored
We suggest analyzing:
- A summary of the protected health information (PHI) created, transmitted, or received by your practice.
- The location(s) where you store PHI, both physical and digital.
- An analysis of current security measures employed by your practice.
- An overview of any potential threats or vulnerabilities that could pose a security risk.
- The likelihood of each potential threat identified.
- A description of the impact threats would have on your practice.
While it might seem like a lot of information to cover, there are plenty of risk assessment tools available to make sure you don’t miss any important elements. This will help you maintain HIPAA compliance and ensure the protection of your patients’ health information.
A strong assessment tool
Depending on the scope of your assessment, different security assessment tools will be appropriate. As a starting point, we suggest referencing HealthcareIT.gov’s Security Risk Assessment (SRA) Tool. This tool was developed by The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR) to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. An expert managed security provider can guide you and help you choose the best assessment methods and tool(s).
A thorough analysis of findings and threats
During your assessment, consider each vulnerability and give it a risk rating based on a scale from 1 to 5—with 1 being highly likely to affect your organization soon, and 5 being improbable. Then, consider how much damage a compromise of each vulnerability may cause. Make a matrix based on both of these ratings like the one below:
| Very Rare | Unlikely to Occur | May Occur | Will Likely Occur | Almost Guaranteed to Occur | |
| Very Severe Damage | |||||
| Severe Damage | |||||
| Moderate Damage | |||||
| Minor Damage | |||||
| Negligible Damage |
Based on this analysis you will clearly see which vulnerabilities stand to cause the most damage to your practice and you can prioritize plans to manage your cybersecurity resources most effectively.
A plan to address findings
Your cyber security risk assessment is only effective if you act upon what you learn. Ensure you document an actionable, prioritized plan to address each vulnerability. We suggest including:
- A risk mitigation calendar to schedule all risk analysis and prevention tasks
- Specific roles for those responsible for addressing the gaps
- Specific dates to test security incident response
- Implementation of security event incident management software
- A regular cadence to complete another cybersecurity risk assessment (to keep tabs as your systems and risks evolve)
Secure your Systems with Physician Select Management
It is crucial that you regularly test and assess your cyber security vulnerabilities as part of your risk management process When you leverage the results of a cybersecurity assessment, your organization will be more digitally secure and less vulnerable to cyberattacks. A cybersecurity partner who specializes in your systems and practices of your size can make risk assessments more efficient and effective. Physician Select Management has state-of-the-art cybersecurity tools and decades of expertise to assess your risk and help you eliminate vulnerabilities. Learn more about we can help keep your practices on the right side of HIPAA and other standards and protect your practice from emerging cyberthreats, here.