The Datamax Thinking Blog

Educating, collaborating, and sparking ideas for maximizing the technology that matters.


Information Security and Why You Need a Cybersecurity Risk Assessment

blog_risk_assessment_button.jpg

You want to be HIPAA-compliant? You need to perform a risk assessment.

It shouldn't be a surprise to know that security research shows that the healthcare industry is a prime target for hackers and assorted cybercriminals.

From insurance companies to small doctors offices to research facilities to hospitals, all have a treasure-trove of personal information that criminals are itching to get their hands on.

Not involved in the healthcare industry? If you're reading this and are in manufacturing, financial services, government, or transportation; those round out the top five targets.

“Only” a small business and think you're safe?

 HA!

Think again. Cyberattacks on small businesses continue to increase as criminals realize that they are easier targets. Some research shows that 43% of phishing attacks target small business and that 1 in 40 small businesses will be targeted (that second number will increase).

What Can I Do?

Every company needs a security strategy and the basic elements of data and network security – data backup, anti virus software, network monitoring, etc. You can either do that yourself or outsource to a managed network partner.

You can also perform a risk assessment on your company. The remainder of this is geared towards HIPAA-compliance. That said, a cybersecurity risk assessment can be done for any industry, whether you need to comply with other industry-specific regulations or just want to ensure your security strategy is as airtight as possible.

Healthcare providers, payers, clearinghouses, and business associates and their subcontractors all must comply with HIPAA.

I want to remind all of you reading this that there is no such thing as HIPAA-in-a-box compliance!

There are technologies that can help you implement your HIPAA-compliance strategy, but you can't buy HIPAA compliance.

Breaches cost money. Research from PwC Health Research Institute estimates that a data breach costs $200 per patient record.

While the cost per breach will vary for other industries, can you afford that? There's also the hit to your reputation and other under the radar costs that can be more harmful to business success than the initial cost.

Assess Your Risk

How at risk are you? It's hard to defend yourself properly if you don't know the potential points of exposure.

That's why a cybersecurity assessment is so useful. By discovering gaps and cracks in your security and potential to lose PHI (personal health information) to a data breach, you can prioritize and take steps to present a nearly-impenetrable wall to hackers (“nearly” because 100% information security is impossible, regardless of anything advertising and marketing materials say).

The HIPAA Security Rule mandates assessing risk, “Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI.” 

This isn't just an exercise performed on paper or whiteboards, a technical review needs to be completed.

ecfirst, a provider of compliance and security training and solutions, outlines seven steps to enterprise HIPAA compliance:

  1. Security responsibility
  2. Risk analysis
  3. Security strategy and policies
  4. Remediate
  5. BA supply chain
  6. Training
  7. Evaluate

Assessing Risk: Getting Started

The first step is to gather documentation (a partial list includes):

  • Security plan
  • Any previous risk analysis
  • Vulnerability planning and most recent scan results
  • Network penetration testing policy and procedure and most recent results
  • Encryption measures
  • User access rules and processes
  • Physical security
  • Data backup strategy and procedures
  • PII policies and procedures, including staff org chart with compliance responsibilities 

Risk Assessment: What Needs to Be Assessed?

Great, you're thinking. What specifically do I need to assess? Here's a list:

  1. Document regulations and standards that your business is mandated to comply with (privacy, security, Federal or state)
  2. Assess policies
  3. Assess procedures
  4. Review asset management process and documents
  5. Review vendor agreements
  6. Assess deployed security controls
  7. Identify missing security controls
  8. State of encryption implementation
  9. Review cloud security for deployed apps and PII/PHI
  10. Conduct a technical vulnerability assessment for both external and internal threats
  11. Conduct wireless assessment
  12. Review firewall architecture and configuration
  13. Review mission-critical applications and their security
  14. Assess requirements for penetration testing
  15. Evaluate risk management program
  16. Assess quality and depth of security awareness training
  17. Review information security skill capabilities
  18. Assess executive priority and reporting structure for security and compliance 

I know; it's an intimidating list. 

Regardless of how intimidating the list looks, it's still good for your business. One element of risk assessment is to assess your networks.

How well is your network working?  Click here for a Network Risk Assessment!

Topics: Network Management Managed Services IT Consulting Network Security Security Healthcare Tips and Tools Data Back-Up