A Holistic Approach to Cyber Risk Management

How Comprehensive System Management Can Help Healthcare Organizations Better Manage Security and Compliance Beyond the EHR

Healthcare organizations have an ever-growing list of risks that can impact their ability to protect their data’s confidentiality, availability, and integrity. That’s because the modern healthcare enterprise constantly expands with new technologies, services, and devices.

With that comes an ever-evolving threat landscape, making it difficult for many organizations to keep up.

A firewall or air gap is no longer enough to protect an asset, system, or network. And effective, compliant cyber risk management is no longer just about implementing and protecting the electronic health records (EHR) system.

Modern cyber risk management now encompasses on-premises and transient assets, all used by an increasingly sophisticated mobile workforce and patients on the go.

These realities create new challenges for those tasked with ensuring HIPAA security and privacy compliance for protected health information (PHI) and other sensitive data.

So, how do you keep up? How does your organization ensure you get the clearest and most extensive visibility into your cyber risk landscape?

Rethinking Cyber Risk Management

To succeed in this complex compliance-driven industry, healthcare organizations should rethink cyber risk management and how it functions in on-site and remote patient care and services.

Today’s cyber risk management should adopt a more holistic approach to comprehensive system management that moves beyond the EHR into all aspects of daily operations, some of which remain on-site while others scale in the cloud.

That can be challenging for even the best teams to manage and even more difficult for smaller organizations where access to skilled professionals, risk landscape intelligence, and financial resources can be hard to come by.

It’s further complicated in mid-size to larger healthcare organizations, where technologies, software, and applications can vary from location to location and sometimes from department to department.

Some security professionals find it difficult, if not near impossible, to build an accurate, up-to-date asset inventory and track where each is used, how, and by whom.

But without this critical insight, your team can quickly return to siloed risk management practices that focus on the known, leaving security gaps with the unknown.

KPMG International recently asked a group of CEOs how risks and business-as-usual have changed in our post-pandemic world. Surprisingly, even though we’re seeing increased cyber breaches exposing record numbers of records, only 58% of those surveyed said they’re prepared to deal with a cyber-attack. Yet about 75% recognize how critical a strong cyber strategy is for their organizations, especially in establishing trust with key stakeholders.

So far this year, the Office For Civil Rights (OCR) reports it’s launched investigations into about 275 healthcare breaches where each breach affects 500 or more patient records.

Don’t Forget Your Supply Chain

Adding even more challenges to the mix is the growing number of downstream supply chain risks that healthcare organizations face as their vendor lists grow, especially in new applications or devices that streamline patient care.

In a recent conversation with Owensboro Health CISO, Jackie Mattingly, Mattingly spoke about the challenges in keeping up with vendors, systems, and programs brought into the organization by various departments.

“Most of these major EHR systems have a pretty good grip on security for their systems. We use Epic and they have things pretty well buckled up,” Mattingly said. “They’ll actually notify us if they detect an incident but it’s the many other ancillary systems we use that pose a greater threat. You really have to assess risk across the enterprise.”

Further, about 79% of the KPMG respondents said that protecting their “partner ecosystem and supply chain is just as important as building our own organization’s cyber defenses.”

But until recently, some security teams weren’t looking deep enough into their supply chain’s security practices, leaving them at risk of PHI exposures, ransomware attacks, and other cyber incidents.

A recently released Cyber Readiness Report found that some 74% of healthcare organizations haven’t yet implemented comprehensive software supply chain risk management policies. And that’s amid a time of increasing cyber risk and a presidential order that’s gone out to critical infrastructure sectors, moving them toward better measures to ensure stronger cybersecurity practices.

The report noted that more than 90% of respondents said they struggle to measure and implement software supply chain risk management policies in healthcare. That should be alarming considering the number of successful healthcare breaches we’ve seen recently.

The largest breach under OCR investigation so far this year is a breach from Shields Health Care Group, Inc. that potentially exposed records affecting some 2 million individuals. The breach happened in March, and the attacker may have been within Shields’ systems for about two weeks before detection. The breach likely exposed sensitive information such as patient names, Social Security numbers, medical and insurance information, addresses, etc.

That single breach may have affected 50 healthcare facilities that work with Shields.

Legacy Data Needs Protection, Too

Protected patient data like that potentially exposed in the Shields attack is often a lucrative venture for threat actors but also causes significant, time-consuming, expensive hassles for the healthcare organizations they strike.

And while forward-looking security teams are trying to keep pace with healthcare innovation-like the move to the cloud-it’s important to remember that your legacy healthcare data may also be at risk.

Late last year, a healthcare organization in Canada discovered a breach that could have affected data dating back to 1996. Although its EHR appears unscathed, the breach likely affected about 13 different but overlapping data categories, such as medical and other information, and impacted others, such as an affiliated nonprofit that purchases IT services and file storage from the core agency.

In a recent interview with Healthcare Info Security, Clearwater’s vice president of consulting services, Cathie Brown, said that the age and volume of data involved in the attack have “shock value.”

“Until healthcare entities look beyond current production systems and understand all locations [where patient data] is stored, maintained, processed or transmitted within their organizations-and apply appropriate security controls across the board-it is not surprising breaches of this magnitude happen,” she explained.

Building A Holistic Risk Management Program

These stats demonstrate why taking a more holistic, whole system approach to cyber risk management has never been more critical for healthcare organizations.

Unsure of where to begin? Consider:

  • Consider working with a consulting group or risk management specialist if your team has limited staff and resources, especially as your enterprise expands. These professionals can step in where you have gaps, empowering your existing teams to uncover all your risks, no matter how rapidly your environment changes. And a consultant can help you understand where those risks fall within your organization’s risk threshold and help you prioritize risks so you know which ones to focus on remediating first and how to do it fast and effectively.
  • Adopt security controls across all of your assets and data sources. Be sure to account for the legacy data you may have in storage somewhere. It needs protection, too.
  • Employ identity and access management processes that limit authorized access to patient data to the amounts needed for an employee to meet role requirements, and segment your network as appropriate.
  • Use a risk management software solution that empowers you with ongoing risk assessment and risk management capabilities so you always know where your risks are and how to address them.
  • Work with a risk management professional to develop a comprehensive risk management program for your organization, including seeking out program weaknesses and making plans to mature it over time.

Need help with maturing your existing risk management program into one that’s more holistic with a whole-systems approach? Contact a Clearwater consultant today or request a live demo of IRM|Pro, so you can see how it can help you identify your organization’s risks and resolve them fast and effectively.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us