Managing cyber risk inside a healthcare organization now has far-reaching implications beyond an OCR investigation’s potential fines and penalties. Cyberattacks and breaches are costlier than ever, to the tune of $10 million on average, and may substantially impact patient safety, mortality, length of stay, and delays in care. This has downstream impacts resulting in class action lawsuits and skyrocketing cybersecurity insurance premiums.
While cyber insurance companies raised premiums throughout 2021 and 2022, up another 28% year over year in the first quarter of 2022, others are completely excluding some types of cyberattacks from their policies’ coverage. And while this is largely due to the rising cost of a healthcare breach, it’s also likely due to the rise in lawsuits. In fact, according to the 2022 Class Action Survey, nearly 43% of the next wave of class action lawsuits is predicted to be related to privacy and security.
Now is the time to focus on developing, implementing, and managing a cybersecurity program that decreases your organization’s chances of a breach and reduces the cost of response and recovery if one does occur. Here are seven foundational steps to building your program.
- Determine priority and scope
When developing your cyber risk management program, it’s essential to think about your organization’s strategy, goals, and objectives. Ask: How can your program facilitate meeting these goals? Does your current cybersecurity program support or deter you from those goals? What do you need to do to get headed in that direction?
Whether you have industry or regulatory requirements or you just want to manage your cyber risk better, you may find it helpful to get started on this journey by adopting a cybersecurity framework. A framework, for example, like the NIST Cybersecurity Framework (NIST CSF), can help you think through appropriate potential components, prioritize your efforts, and better understand the scope and objectives of your risk management program.
Security controls are the building blocks of a security program-for example, the administrative, physical, and technical safeguards required by HIPAA. You can use a framework and then fit those building blocks onto your framework as you need them for your program.
Beyond knowing you’re following best practices and protecting your systems and data, healthcare organizations have additional incentives to adopt a recognized security framework, like the NIST CSF or 405(d) HICP frameworks. Thanks to recent legislation, if you find yourself under OCR investigation and can provide proof that you’ve had a recognized security framework in place for 12+ months, OCR must consider this. For some, this could mean early termination of the audit or investigation and a more favorable outcome, like mitigated fines and penalties.
- Understand your current security program maturity
A cybersecurity program performance assessment can help you identify the status of individual cybersecurity controls within your overall program. You can isolate and evaluate control building blocks and their adoption levels, including definition, implementation, evolution, and validation.
- Conduct an OCR-quality risk analysis
Understanding your current IT security risk profile will help you better understand where you have vulnerabilities that might be exploited, the controls that are in place or could be put in place to reduce the risk, and the potential impact on the organization if a breach were to happen.
Risk analysis is not just a good idea; your organization must conduct an OCR-Quality® Risk Analysis to meet the requirements of the HIPAA Security Rule.
There are several elements you’ll want to include in your risk analysis based on OCR guidance:
- Scope of analysis
- At a minimum, all systems, applications, and associated components are used to create, receive, maintain or transmit ePHI
- Don’t forget all forms of electronic media
- Data collection
- Identify where ePHI is located
- Document reviews
- Document potential threats and vulnerabilities
- Reasonably anticipated threats
- Existing vulnerabilities
- Assess current security measures
- Assess security measures to determine if they’re configured and used properly
- Document security measures
- Determine threat occurrence likelihood
- Consider the probability or likelihood of threats exploiting vulnerabilities
- Document threat vulnerability combinations and associated likelihood determinations
- Determine potential threat occurrence impact
- Determine criticality or impact on your organization
- Qualitative or quantitative
- Determine risk level
- Assign risk levels to threat, vulnerability, and asset triplets
- Finalize documentation
- Document risk analysis
- Define your target profile
Earlier, we mentioned it’s essential to begin this journey by understanding your current security program profile. At this stage of your program development, it’s time to establish and work toward your target profile, which should align with your strategies, goals, and objectives.
A target profile is a look toward your future cyber maturity. You can use it to define your organization’s desired security outcomes. When developing your target profile, consider the following:
- Baseline controls, for example:
- FISMA Baselines
- CIS Top 18
- Section 405(d)
- Compliance
- HIPAA
- PCI
- SOC 2
- HITRUST
- Contractual requirements
- Other third-party expectations and guidance
- Customer expectations
- Sector guidance
- National guidance
- Risk management
- Additional mitigating controls
- Identified gaps in compliance
- Identified gaps in effectiveness
- Define a process to identify, analyze, and prioritize gaps
Your risk management processes should be ongoing at a minimum any time your organization, attack surface, or compliance mandates change. Be sure to routinely seek out gaps in your program, analyze the potential impact-especially on your most important services and ePHI-and prioritize remediating those gaps.
- Create an action plan
Your action plan should include all the prioritized steps you need to take to manage cyber risk, close gaps, meet your compliance requirements, and facilitate achieving your organization’s strategic goals.
- Have a plan to exercise and test your program
Your IT security program will strengthen when you routinely test and exercise it. It also creates an opportunity to build unity between your people, technologies, processes, and plans. Consider strengthening your program by conducting the following:
- Tabletop exercises
- Phishing assessments
- BCP/Disaster response exercises
- Red/blue/purple teaming to test defenses and safeguards
Need help with building your IT security program? Take a look at some of these additional resources or reach out to a Clearwater Advisor for help.