As cyber threats become both more frequent and sophisticated, it’s essential for healthcare companies to strengthen their cybersecurity posture and safeguard the electronic protected health information (ePHI) within their IT ecosystems and communications. This begins with a comprehensive cyber risk assessment that spans infrastructure, applications and communications.
A cyber risk assessment enables healthcare companies to focus their attention on the IT areas that need the most improvement, allowing them to be more effective in their threat mitigation efforts. This not only reduces the chances of cyber attacks but helps them align with HIPAA’s guidelines and maintain the operational integrity required to best serve their patients and customers.
Let’s discuss why it’s vital that healthcare companies conduct thorough cyber threat risk assessments and the steps your organization can take to carry one out effectively.
Why Are Cyber Risk Assessments Crucial for Healthcare Organizations?
In an increasingly digitized healthcare landscape, conducting regular risk assessments is essential for companies of all sizes, in every industry. For healthcare companies, charged with protecting patient data, it’s especially critical and often a compliance requirement. Electronic PHI, which contains details of an individual’s health history, including current conditions, past illnesses and procedures, prescribed medicine, etc., is very sensitive in nature, so healthcare companies must go the extra mile to ensure its protection in transit and at rest.
Performing a cyber threat risk assessment is the first step to achieving this critical requirement. A risk assessment allows you to identify all of the ePHI within your business, understand the threats it faces, determine gaps in your cybersecurity posture, and, most importantly, mitigate them.
Additionally, from a compliance perspective, conducting regular risk assessments is a key requirement of HIPAA’s Security Rule. Consequently, healthcare companies must carry out periodic risk assessments if they want to comply with HIPAA regulations, and avoid the consequences of non-compliance. A risk assessment provides documented evidence, to auditors, supply-chain partners, and others, that you are conscious of security concerns and have taken the proper steps to mitigate them.
How Do You Conduct A Cyber Risk Assessment?
Now that we’ve discussed their importance, let’s turn our attention to how healthcare organizations can conduct effective cyber risk assessments.
Identify Assets
The first, and, arguably, most important step of a risk assessment is identifying your organization’s digital assets, which include:
- Hardware: endpoint devices (desktops, laptops, smartphones, etc.), servers, network equipment, medical equipment, etc.
- Systems, infrastructure and applications: operating systems, cloud services, etc.
- Data, i.e., ePHI
Now, the reason asset identification could be considered the most crucial part of a risk assessment is that a healthcare organization‘s security teams can’t protect what they aren’t aware of!
Consequently, weeding out instances of “shadow IT”, i.e., the use of applications and/or systems without the approval of a company’s IT department is essential. Otherwise, you could have cases in which ePHI is used in applications, resides on databases, and so on – without it being adequately safeguarded.
Once you’ve identified your assets, you need to classify them: based on their sensitivity and potential impact if a security incident were to occur.
Identify Vulnerabilities and Threats
Having successfully catalogued your assets, you must now establish the factors most likely to compromise their security. This first means pinpointing the vulnerabilities in your IT ecosystem, which could include:
- A lack of encryption, or weak standards
- Lax access controls
- Weak password policies
- Lack of monitoring and logging
- Outdated software (with some no longer being supported by its vendor)
- End-of-life hardware
- Infrequent back-ups
- Unverified or insecure third-party vendors
When you have a better understanding of these vulnerabilities, which are called attack vectors, you can then determine the most likely threats to ePHI based on the gaps in your security posture. These include:
- Data breaches or exposure
- Malware, e.g., ransomware, viruses, spyware, etc.
- Social engineering phishing
- Insider threats (whether through malice or human error)
- Distributed Denial of Service (DDoS) attacks
Fortunately, there is an array of scanning tools that will help you find your cybersecurity vulnerabilities. As far as understanding the main threats to your sensitive patient and customer data, you need to keep up with the latest in threat intelligence. Cybercriminals are always devising new ways to infiltrate healthcare organizations’ networks, so your security teams must remain aware of emerging cyber threats.
Risk Prioritization
So, now you have catalogued your assets, determined their vulnerabilities, and identified the threats. However, implementing cyber threat mitigation measures requires resources – namely time and money – so you must prioritize which risks to mitigate first, based on their likelihood and impact.
First, how likely is a threat to exploit a vulnerability? Healthcare organizations typically determine this through existing threat databases, such as MITRE, as well as keeping up-to-date on the latest threat intelligence and determining how it pertains to your company.
Secondly, evaluate the potential impact, or consequences, of a threat actually manifesting, i.e., a an email breach or a malicious actor successfully pulling off a cyber attack and infiltrating your network. When analyzing the potential impact, consider the financial, operational, reputational, and compliance implications.
Report Findings
At this point, you should report the findings of the risk assessments to your company’s key stakeholders, e.g., upper management, compliance officers, IT management and security, etc. This ensures that decision-makers understand the nature of the top threats facing your organization, their potential business impact, and the urgency of implementing mitigation controls.
This also helps security teams secure the resources they need to bolster their cybersecurity posture accordingly. An additional benefit of this reporting is that it provides an audit trail for compliance efforts, as it demonstrates your efforts to better protect patient and customer data.
Implement Mitigation Measures
Now, we’ve come to the point in the risk assessment process where you act on your due diligence and implement the policies and controls that will better protect patient data and comply with HIPAA guidelines.
Mitigation measures broadly fall into three categories:
- Preventive: e.g., encryption, access control, user authentication (e.g., multi-factor authentication (MFA))
- Detective: e.g., vulnerability scanning, continuous monitoring
- Corrective: e.g., incident response, backups and disaster recovery
A robust cybersecurity posture requires a combination of all three. Your risk assessment may reveal that your organization is strong in one aspect but less so in others, or you may need to bolster your efforts across the board.
Document Your Risk Mitigation Measures
Create a risk mitigation implementation report that details how your organization executed its cyber threat mitigation strategies. This should include:
- Affected assets: the parts of your IT infrastructure (servers, databases, etc.) and applications you identified as vulnerable and the severity of their corresponding threats.
- Mitigation actions: the specific action(s) undertaken to mitigate cyber threats against the asset, e.g., enhancing encryption standards, strengthening password policies, conducting cyber threat awareness training, etc.
- Technical details: where applicable, such as a particular update applied to an application, how a system has been configured, which new software solution has been deployed, and so on.
- Post-mitigation risk assessment: re-evaluate the risk level of each asset after the implementation of new security measures.
- Monitoring and compliance: detail how the organization will monitor the efficacy of the implemented measures, as well as how your enhanced controls and policies align with compliance standards (e.g., HIPAA, NIST, HITRUST, etc).
As with the report for stakeholders after the initial stages of the assessment, the risk mitigation implementation report also leaves a compliance audit trail, which will become all the more important when the proposed changes to the HIPAA Security Rule come into effect.
Continuous Monitoring and Review
As detailed in your risk mitigation implementation report, you must continuously monitor your IT infrastructure to assess the effectiveness of your newly implemented policies and controls. This process also mitigates cyber risk, in and of itself, as it provides fewer opportunities for malicious actors to breach your network: you’ll have systems in place to alert you of suspicious activity.
Additionally, you must regularly reassess your organization’s cyber risks as new threats emerge, your IT ecosystem evolves, or if you succumb to a cyber attack.
How Often Should You Conduct Cyber Risk Assessments?
Healthcare organizations should carry out a cyber risk assessment at least once a year, with respect to time, or when they make changes to their IT infrastructure. With the proposed changes to the HIPAA Security Rule on the horizon, now is an opportune time to conduct a risk assessment and measure your cyber threat readiness against the new stipulations of the soon-to-be-updated Security Rule.
Also, as alluded to above, if you suffer a security incident, you must conduct a post-breach assessment, once the threat is contained, to establish how a malicious actor breached your network – and how to prevent it from happening again.
How LuxSci Helps Mitigate Cyber Risk in the Healthcare Industry
With more than 20 years of experience, LuxSci has developed the required expertise to make secure communication solutions tailored to meet the stringent cyber risk mitigation needs of the healthcare industry.
LuxSci’s suite of HIPAA-compliant communication solutions includes:
- Secure Email: HIPAA compliant email solutions for executing highly scalable, high volume email campaigns that include PHI – millions of emails per month.
- Secure Forms: Securely and efficiently collect and store ePHI without compromising security or compliance – for onboarding new patients and customers and gathering intelligence for personalization.
- Secure Marketing: proactively reach your patients and customers with HIPAA marketing campaigns for increased engagement, lead generation and sales.
- Secure Text Messaging: enable access to ePHI and other sensitive information directly to mobile devices via regular SMS text messages.
Interested in discovering more about how LuxSci can help you protect your patient’s ePHI, mitigate cyber risk, and ensure HIPAA compliance for your email and communications? Contact us today!
