5 Essential Steps to Create a Formalized Healthcare Cybersecurity Risk Remediation Plan

Cybersecurity remediation management could be summed up in a single phrase: clarity is power.  

With clear instructions and a deep understanding of the goals, risks can be addressed and resolved quickly and effectively; without them, budgets overrun, teams miscommunicate, and the entire process can last months longer than necessary. 

That is why a formal plan is essential to any effective remediation process – and this article explains exactly what is required to create and enact one. 

Expect to learn: 

  • Best methods to assess your cybersecurity vulnerabilities 
  • Factors that every robust cyber risk remediation plan includes 
  • Secrets to ensure your remediation plan is implemented effectively 

Why Do You Need a Formal Remediation Plan? 

Cybersecurity remediation is complex, time-consuming and expensive – even when it is done smoothly. With multiple stakeholders involved and numerous complicated vulnerabilities to address, an informal plan (which is often little more than a set of verbal agreements) rarely provides the rigor required to guide this process.  

Instead, a formal remediation plan anchors the process and allows you to: 

  • Share knowledge: A documented plan ensures everybody is on the same page. There is an objective point of reference that individuals can use through the process to remember what is required of them. 
  • Refine processes: The process of creating a formal remediation plan forces you to think more carefully about the process, evaluate your options and refine your approach strategically. 
  • Save time: A formal plan can be much more easily revised and reused. A small investment of effort now makes all subsequent remediation processes (and there will be more in the future!) much smoother. 

3 Steps to Take Before Creating a Remediation Plan 

1. Risk Identification 

A remediation plan needs to be specific – which means you must know the precise vulnerabilities and risks it will address. The risk identification process should: 

  • Utilize multiple methods, such as vulnerability assessments, penetration testing, threat intelligence, and analysis and compliance audits. This is crucial to avoid missing blind spots and gain a comprehensive overview of your organization’s risk.  
  • Involve all relevant stakeholders, such as department heads and managers across IT. Pooling insights from these people will help shed light on the specific challenges you face and how cultural or human factors impact your overall vulnerability to cyber threats. Many of these stakeholders will not be involved in cybersecurity on a daily basis, meaning this is a rare opportunity to loop them in and gain buy-in. 
  • Map your risks with a detailed understanding not just of what the risks are but also which areas of the organizations they affect. This will help you produce a more efficient remediation plan and allocate responsibility and budget more effectively.

2. Risk Assessment 

The next step is to evaluate each risk you identified across multiple factors, such as likelihood of occurrence, potential impact, and what existing controls are in place to prevent them. A comprehensive framework helps structure this process and ensures you assess all relevant risks.  Consider using any of the following frameworks: 

  • NIST SP 800-30 | A comprehensive framework used by more than 30% of US organizations, NIST provides a standardized approach to risk and privacy assessments. However, many healthcare organizations find it challenging to implement and require technology to support its implementation. 
  • ISO 27005 | Another widely trusted framework used across multiple countries to assess information security.  
  • FAIR | A model to quantify cybersecurity risk and translate it into expected financial impact.

3. Risk Prioritization 

Your final step is to determine where remediation efforts are most urgently needed and where they will produce the greatest benefit to your organization. Consider the following questions: 

  • Which vulnerabilities pose the most immediate risk? 
  • Which vulnerabilities pose the greatest financial risk? 
  • Which vulnerabilities are most complex and/or expensive to remediate? 

Of course, this is not a purely objective exercise. Your role when creating a remediation plan is, in part, to make informed value judgements and decide how to best align remediation with your organization’s overarching goals. Risk prioritization should, therefore, consider patient safety, organizational reputation, and financial factors to minimize potential harm in the short and long term.  

5 Factors Every Remediation Plan Should Include 

1. Roles and Reports 

Your remediation plan should clearly define: 

  • Individual responsibilities: Exactly who is responsible for which tasks?  
  • Project manager roles: Who reports to whom?  
  • Decision-making processes: How are decisions made? Who is involved? Who has the final say on each choice? 

All of this should be put in writing to avoid ambiguity or miscommunication. This will also allow personnel to reference the document if they are unsure about the processes or their specific responsibilities. 

2. Measurements and KPIs 

Establish exactly how the performance of each task and stakeholder will be assessed to ensure accountability. This is essential because these metrics will shape how individuals approach their roles. Confirm that your metrics are: 

  • Aligned with your overarching strategic goals 
  • Clear and (wherever possible) quantifiable 
  • Understood by all parties to ensure uniform measurement  

3. Timelines and Deadlines 

Set clear milestones and delivery dates for each task. These should be: 

  • Based on reasonable expectations with clear benchmarks and aligned with the agreed-upon prioritization 
  • Clearly communicated to the affected party to ensure you gain buy-in 
  • Adjustable depending on circumstances as remediation rarely runs exactly according to plan

4. Resource Allocation 

Given the challenges most healthcare leaders face in securing a reasonable remediation budget, it’s important to provide full financial transparency and carefully plan how your resources will be used. Produce a budget plan that addresses the following: 

  • How much each task or phase of remediation will cost 
  • What the expected return will be, based on the potential cost of a cybersecurity attack 
  • When and how you will assess the overall financial efficiency of the remediation process 

This will help you gain buy-in from finance and accurately report on the financial success of the process – which will be essential when you next need to attain a budget for remediation. 

5. Tools and Techniques 

Too often, remediation is undertaken on an ad-hoc basis, where tools or frameworks are sourced at the point of use. Instead, your plan should specify exactly which tools and techniques will be used. While techniques such as the ADKAR model can be found through online content, the process of selecting tools involves multiple steps: 

First, you need to gain a clear view of the market: research vendors and consider publishing a Request for Proposal (RFP) to understand what’s available. Note the various pros and cons of each solution, with a clear eye on how they fit your budget. 

Next, discuss possible solutions with key stakeholders: ask how they would envision using the tool and what potential roadblocks they foresee. Not only will this provide insight into the tools themselves – it will help you understand what your stakeholders really want from their tools. 

Finally, draft a shortlist and select the vendors that best suit your needs: consider how the tools will integrate into your existing workflows, whether they use cutting-edge technology and how they will support and make it easier to complete future remediation projects. 

Ultimately, this process will help you: 

  • Budget for software which can vary widely in both up-front and recurring cost 
  • Increase usage by verifying that stakeholders understand and value the tools you’ve selected 
  • Ensure you have the best solutions and aren’t leaving money on the table 


3 Steps to Take After the Remediation Plan 

A robust plan is not always enough in itself to drive a successful remediation process. Instead, healthcare leaders must ensure that they: 

1. Communicate the Plan 

The success of any remediation process hinges on two factors:  

  1. How well you manage culture change 
  2. Whether you gain executive buy-in 

Once you have a remediation plan, it is, therefore, essential to communicate it – and the reasoning behind it – throughout the organization. However, you cannot just share the plan; you need to tailor your message to each audience to provide the right level of detail. 

Executives don’t need to hear about the small details; middle management doesn’t need to know about the intricacies of your budgeting plan. Determine which aspects of the plan are relevant to each group and make a compelling case as to why they will personally benefit from following your plan. 

2. Make Notes in Real-Time 

Remediation rarely goes exactly according to plan, and there are many valuable insights to be gleaned from disruptions, delays, and unexpected challenges. However, many leaders forget these insights after the fact – which is why we suggest making notes during the remediation process.  

Keeping a daily log of how each task goes can be invaluable for future reference. Cybersecurity is not a “one-and-done” process: you will unquestionably need to review and reuse elements of your plan in the future. But if you take notes, your next remediation plan can make use of these insights and adapt to reduce friction and improve the overall efficiency and effectiveness of the process. 

3. Reassess Priorities 

Most remediations are large undertakings involving multiple individuals or teams – which means they often last several weeks or months. From new regulations to novel threats, the landscape can change a lot during the process, and you need to have a process in place to reassess priorities and adapt your plan to reflect those changes. 

Assign a team (or individual) to monitor the evolving threat landscape, providing regular updates to the plan. This can be extremely challenging in practice, as most organizations struggle to allocate enough resources to their remediation in the first place – let alone adding new roles and responsibilities to the mix.  

The right software can make this a far lighter lift. With unique products to automate repetitive roles and provide targeted guidance during everything from NIST assessments to remediation itself, Intraprise Health’s suite of healthcare compliance and cybersecurity tools can accelerate your remediation and free your teams to focus on strategic tasks. 

Want to see why more than 64,000 healthcare providers trust our products and services? 

Book a demo.

About the Author
Avatar photo

Scott Mattila, CSO, Intraprise Health

Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science.