Blogs Home
Tuesday, February 18, 2020 12:00 PM

Cyber Security Risk Management 101

Written by Guy McAllister, Director, Privacy & Security - iatricSystems

The Dos and Donts of Performing an Effective HIPAA Risk Assessment Blog Post Header Feb 2020

According to the Fortified Health Security 2020 report, the healthcare industry is expected to experience a 10-15 percent increase in the number of entities breached in 2020, with providers being the most targeted and exploited segment.

Why? The reason is simple – healthcare organizations handle large amounts of high-value data, including social security numbers, insurance information, addresses, detailed health records, and more.

Data breach costs are the highest in the United States, where the average cost of a breach is $8.19 million - or $242 per record. The total average cost of a healthcare data breach in the United States is $15 million. It makes sense that cyber criminals want to get their hands on your data, but too often, we have the “it won’t happen to us” mentality.

While large hospitals make headlines for breaches, smaller healthcare organizations are targeted more because they often have lower security budgets and lack the necessary resources to stay on top of the latest threats. This not only makes them vulnerable, but they can become a backdoor access to the larger institutions they communicate with regularly.

At this point, you’re probably thinking, “so everyone is at risk of a major breach?!” And to that I say, well yeah, potentially – but I’m not here to scare you. I want to make sure you have the tools – and know how – to successfully measure risk to identify gaps that will keep you, your patients, and your colleagues safe.

When it comes to security, two heads are always better than one. We recently partnered with GreyCastle Security to share our combined expertise in security risk management.

Take a first look below at some of the information that we will be covering in an upcoming webinar surrounding risk management 101.

Phase 1: Complete a Risk Assessment
The entire process is eight steps and includes inventorying all of your assets, identifying vulnerabilities, determining the cost and impact of an exposed weakness, and more. By completing a risk assessment, you should be able to answer these three questions:

  • What should I be doing?
  • In what order should it be completed?
  • How much of it should I be doing?

Phase 2: Develop a Risk Mitigation Plan
Now that you have a full idea of any gaps and security vulnerabilities, the next goal is to prioritize the actions you need to take based on the risk levels – high, medium, and low.

This will determine what measures – if any – need to be completed to address your current security posture. Risk mitigation includes everything from prioritizing actions to conducting a cost-benefit analysis and developing a plan to implement controls.

Phase 3: Evaluate and Assess

Risk management is a continuous process that has to be revisited on a continual basis – it’s a cycle. You need to make sure you implement a recurring assessment function. Also note that whenever you have changes or updates in new hardware, technology, leadership, locations, etc., it’s a good idea to restart the cycle and start from phase one of the risk management plan.

I’ve only scratched the surface here when it comes to fully discussing risk management. To get the full picture, including a step-by-step approach to risk assessments and risk mitigation, register for our educational webinar on February 25th at 11 am EST.

Join us as we’ve teamed up with GreyCastle Security to present The Do’s and Don’ts of Performing Effective HIPAA Risk Assessments. Register Now!

GreyCastle VI Email Header 02-2020 webinar