The healthcare industry experienced an all-time record for data breaches in 2021, according to HIPAA Journal. And between 2009 and 2021, the Office for Civil Rights of the Department of Health and Human Services (HHS) reported 4,419 healthcare data breaches of 500 or more records, and those breaches included over 314 million healthcare records. All the while, healthcare organizations have been working diligently to improve their cybersecurity maturity postures to safeguard patient and employee data. It’s a constant challenge.
But the challenge doesn’t stop at healthcare organizations. Even the HHS has had its setbacks. In May 2022, following an audit of Federal Information Security Modernization Act requirements, the Office of Inspector General found the HHS information security program was “not effective,” as it failed to meet the managed and measurable maturity level in four function areas. Consistent with 2020 findings, the audit revealed weaknesses in risk management and contingency planning.
Healthcare organizations can learn from the ongoing challenges of the HHS. Performing risk assessments and developing a contingency or incident response (IR) plan are critical components of a comprehensive cybersecurity program.
Perform risk assessments
A risk assessment allows you to identify and analyze every asset on your network that may be vulnerable to cyber threats. The assessment provides answers to some fundamental cybersecurity questions that your organization needs to know to stay safe and in compliance. How is your network structured? What apps are you running and on what devices? What data are you storing? How do users access the data? What security controls are in place? Where are the vulnerabilities that could be exploited?
Once you know the answers to these questions and others, your healthcare organization can minimize any gaps between policies, controls, and operations and make more informed decisions about how to defend against a cyberattack and stay in regulatory compliance. Performing a risk assessment is a great start to a solid cybersecurity program, and ongoing assessments can keep your healthcare organization on stable footing as the cyber landscape evolves.
“A risk assessment delivers practical insight into existing cyber risk levels and HIPAA compliance with recommendations for mitigation,” said Richard Varela, Senior Product Marketing Manager at Pondurance. “With those recommendations — and help implementing them, if required — our clients can achieve the standards of a comprehensive cybersecurity program outlined by the HIPAA Security Rule and reduce risk with minimal time and expense.”
Develop an IR plan
Before your team ever experiences a cyber threat, you need an IR plan in place. An IR plan is a set of instructions that prepares your healthcare organization to respond to a threat. The plan gives your cybersecurity team a playbook for how to rapidly respond to a threat, minimize damage and loss, and prevent future compromise.
“The ramifications of a breach can be catastrophic for healthcare organizations because they work with so much sensitive data,” said Richard. “A good IR plan includes the proper technologies to ensure comprehensive visibility into the threats and incidents that could harm a healthcare organization and puts a plan in place to deal with them rapidly before there is any significant impact to the organization or its patients.”
If your healthcare organization does not have an IR plan or has a plan that is “not effective,” like the HHS plan, you should draft a new plan or update your current one and start building an IR team that can effectively detect and respond to security incidents. If you don’t have the resources to create your own in-house IR team, your healthcare organization should consider using a security solutions provider that knows how to evaluate your vulnerabilities and make a proper assessment of your cyber environment.
Healthcare organizations and government agencies have indeed experienced challenges with their cybersecurity programs, but your organization can learn from the HHS audit. Make sure your organization performs an effective risk assessment to keep your data safe from cyberattacks and has a comprehensive IR plan in place to know how to take prompt action in the event of a cyber threat. Take the first step. Find out how a Pondurance Risk Assessment can quickly identify and analyze what your healthcare organization should do to stay protected and in compliance.