Executive Guide: Healthcare Risk Management 101

The healthcare industry is undergoing a cybersecurity reckoning – and executives are finally taking proactive steps to tackle the evolving and looming threat of cybercrime. 

The average healthcare organization has increased cybersecurity headcount by 30% since 2019, with the security’s share of the IT budget growing from 5% to 7% during the same period. However, most information about risk management is either jargon-laden or disjointed – making it hard for CSOs and CISOs to gain a clear picture of the landscape.  

This comprehensive guide solves that problem and offers a single source to help executives take a more active role in the safety of their organization’s patients, reputation, and bottom line 

Expect to learn: 

  • Which cyberattack method has nearly doubled since 2022 
  • Why third-party vendors may be your organization’s cybersecurity Achilles heel 
  • What leading healthcare organizations are doing to simplify and improve risk management 

An Overview of Healthcare Risk Management 

What is Risk Management in Healthcare? 

Cybersecurity risk management is a set of processes designed to uncover and either mitigate or eliminate vulnerabilities that pose a threat to an organization. What does this mean in practice? The best way to explain is to explore what these “threats” actually are. 

While healthcare cybersecurity threats are multiple and ever-evolving, some of the most common attacks include: 

  • Hacking: Attackers infiltrate the system to steal protected health information (PHI), which is then sold on black markets. Studies found that 21% of healthcare data breaches are the result of hacking 
  • Phishing attacks: Criminals send fake emails or make false phone calls to employees and trick them into sharing protected health information (PHI) or downloading ransomware. Around 18% of PHI breaches originate with a phishing attack 
  • Ransomware: Malicious software infects and blocks the IT systems until a ransom is paid. The number of ransomware attacks on healthcare organizations nearly doubled between 2022-23 

The essential point is this: each of these attacks relies on a weakness in the organization’s security. An employee must fall for a phishing attack; ransomware must make it past the cybersecurity defenses.  

These weaknesses all represent “risks” to the organization – and it is these weaknesses that risk management programs seek to understand, manage and proactively eliminate. 

Why is Risk Management in Healthcare Important? 

The fundamental reason risk management matters to healthcare executives is the wide-ranging harm caused by cybersecurity attacks. This includes: 

  • Delays to patient care: Cybersecurity breaches can cause IT system outages and lead to lost or compromised patient data. This has a cascading effect, as appointments are delayed or extended, often creating backlogs and ultimately delaying patient care 
  • Increases in patient mortality: From 2016 to 2021, ransomware attacks alone were estimated to have caused between 42 and 67 extra Medicare patient deaths. A more recent study found that 20-30% of healthcare orgs that experienced cyberattacks reported higher mortality as a result of delays in providing urgent care 
  • Regulatory fines: Security breaches lead to steep fines. While the number will vary depending on the size of the organization and the nature of the offense, recent HIPAA violations have led to over $5 million in settlements for some providers 
  • Financial harm: Beyond non-compliance fines, there are a range of other costs associated with cyberattacks – from multi-million-dollar ransoms to lawsuits from patients whose personal data or care has been compromised 
  • Reputational impact: The fallout from a cybersecurity breach can permanently scar the public perception of a healthcare entity. This loss of trust means: 
  • Patients are more likely to change providers 
  • It is harder to attract new patients 
  • Employees may even choose to seek work elsewhere 

However, risk management is particularly important today because healthcare orgs have consistently under-estimated these dangers – and under-funded efforts to stamp them out. Our recent study found that just 40% of healthcare CIOs and CSIOs believe their cybersecurity programs have the right level of funding. 

This must change fast: the recent Change Healthcare scandal – and the new regulations it has led to – has made the risks healthcare organizations face impossible to ignore. The problem is most organizations have been slow to wake up to threats, making it difficult to access the budget and tools they need. 

Fortunately, the tools are finally available to deliver a comprehensive and truly effective approach to cybersecurity – the job is now to convince the CEO and CFO that this is an urgent issue. 

The Evolving Role of Executives in Healthcare Risk Management 

While the primary responsibility for breaches falls on CISOs, there is a growing movement towards holding other executives accountable – even if they’re not directly involved. As Deloitte recently said: 

“Simply ‘Being Aware’ of cyber risks is not enough for the Board in this ‘New Normal’, which is why they need to understand the criticality of each breach and the steps being taken to mitigate it.” 

We are already seeing this shift play out: UnitedHealth CEO Andrew Witty was recently grilled by Congress over the decision to pay cybercriminals a $22 million ransom. But this is just the tip of the iceberg, and executives must pre-empt this shift and proactively make themselves accountable for improving cybersecurity – or risk both personal repercussions and the safety of their patients. 

6 Steps to Manage Healthcare Risk 

Most healthcare risk management programs struggle to scale across complex organizations. With budget limitations and a lack of interoperable systems, executives struggle to achieve security coverage across all areas – but following a clear methodology can help solve these problems. 

Here are six steps every risk management program should follow: 

1. Risk Assessments 

A risk assessment is the process of evaluating an existing system to understand the level and specific nature of risk it presents. As Arkansas BlueCross BlueShield CISO Devin Shirley explained in our recent webinar, such assessments should be the first act of any new security leader – because executives need to know how a system works before they can start fixing it. 

There are many forms of specialized risk assessment, including: 

  • Compliance risk assessments which identify ways the system could breach regulations 
  • Third-party risk assessments which evaluate vendors’ cybersecurity posture to determine whether they are likely to cause a breach to the healthcare organization’s system 
  • Framework assessments which evaluate whether existing cybersecurity measures meet the guidelines of a respected cybersecurity framework such as NIST or HITRUST 

Most assessments involve some combination of: 

  • Stakeholder interviews: This could involve directly speaking to stakeholders or simply sending out questionnaires. The point is to gather information to help executives understand how the processes in place to manage specific risks 
  • Preparedness tests: From penetration testing to tabletop exercises, leaders can hire an external team to simulate an attack and assess how their systems respond. This often uncovers hidden vulnerabilities that may not be captured by simply asking delegates about the cybersecurity programs 
  • System analysis: By establishing system requirements and mapping existing cybersecurity systems and protocols, CSOs can gain an understanding of the relative level of risk present in each area of their organization

Watch the Webinar

2. Risk Identification 

Risk identification is the process of pinpointing specific vulnerabilities or gaps within the current security posture. These can fall into several categories, including:  

  • Regulatory risk: Gaps or faults in cybersecurity processes that may lead to non-compliance with HIPAA 
  • Knowledge gaps: Areas where staff are unaware of cybersecurity threats and, therefore, may unknowingly cause a data breach 
  • Cybersecurity gaps: Vulnerabilities in the IT system that can be exploited – from unpatched end-point devices to security issues within remote desktop protocols 
  • Third-party risk: Weaknesses in vendors’ cybersecurity posture that could lead to an attack on the healthcare organization’s system 
  • Operational risk: Flaws or overlooked elements in business continuity or incident response plans that would lead to longer system outages or greater financial damage if an attack occurred 
  • Legal risks: Poorly worded or inadequately managed contracts that leave the organization open to greater financial harm or responsibility in the event of a data breach 

Here is a simple example: the workforce may have strong knowledge of HIPAA requirements for handling patient data but lack awareness of the latest phishing tactics. This lack of awareness represents a concrete risk. Once this is identified, CISOs need to assess the potential harms it could bring about, rank its severity (“risk level”) and weigh how urgently it should be remediated. 

3. Risk Prioritization 

It is unrealistic for most healthcare organizations to address and eliminate every vulnerability within their systems. With budget and time constraints, executives must choose which risks are most severe and prioritize them. 

This process of risk prioritization has multiple dimensions, and executives must consider the following: 

  • The likelihood the vulnerability will lead to an attack 
  • The expected impact of such an attack, including the impact on patient care and the organization’s finances 
  • The projected cost of mitigating or remediating the risk which may be extremely high if brand-new software or even hardware is required 

Balancing these factors is not a perfect science. Instead, leaders must make strategic trade-offs to minimize the overall level of risk their organization and patients face. However, this means they must accept they will always experience some level of risk.  

4. Risk Tolerance 

This brings us to the concept of risk tolerance, which denotes the level of risk the organization is willing to sustain. There are benefits to both ends of the spectrum here: 

  • High-risk tolerance means the organization is willing to accept more risk. Organizations that take this approach have greater flexibility to overlook certain areas of cybersecurity and focus on remediating those that are most vulnerable 
  • Low-risk tolerance means the organization is willing to accept very little risk. This typically requires a higher budget to ensure risk is remediated across all areas of the organization 

Given the dangers explored above, we should expect most healthcare organizations to have a low-risk tolerance. But the reality is most still exhibit high tolerance – in large part because there is still a lack of urgency around remediation. 

5. Risk Remediation 

Risk remediation is the active process of eliminating cybersecurity vulnerabilities. This could involve: 

  • System change: Overhauling processes or IT infrastructure to reduce risk and remove vulnerabilities 
  • Vendor remediation: Either making third-party vendors undergo remediation or, in the most extreme cases, ceasing relations with a vendor to avoid risk exposure 
  • Workforce education: Providing comprehensive cybersecurity training to ensure staff are aware of various cyberattack strategies and know how to handle data in a safe and compliant manner 

These are all highly effective methods to reduce risk, but the reality is full remediation is not always possible.  

6. Risk Mitigation 

In these situations, risk managers focus on risk mitigation, which involves minimizing the likelihood and potential impact of a particular attack. This can take two forms: 

  • New processes: Altering existing or introducing new processes or roles to make the organization better able to respond to cyberattacks. This might involve reinforcing business continuity plans or disaster response protocols to reduce the expected downtime a particular attack might produce – and, therefore, diminish the risk it presents 
  • Improved monitoring: Putting processes in place to ensure executives track the changing risk landscape. Tools play a key role here: with integrated, user-friendly systems that ensure traceability and visibility, CSOs and CISOs can more easily and regularly share data and ensure organization-wide risk awareness 

Third-Party Risk Management: The Biggest Gap in Healthcare Cybersecurity 

Third-party risk has become a growing concern for healthcare CSOs in recent years, with more time and budget focused on remediating vendor risk. However, many organizations still lack the capacity to accurately assess or remediate these risks – which makes vendor risk a huge problem for many executives.  

Why is Third-Party Risk Management So Important for Healthcare Organizations? 

The average healthcare entity uses over 1,300 vendors across its supply chain – and many of these organizations are deeply embedded within the entity’s IT systems. This means a cybercriminal that infiltrates a vendor’s networks could likely also access the healthcare organization’s system, enabling it to introduce malware or ransomware or steal PHI.  

Such an attack would not be the result of a failure of the provider’s cybersecurity, but they would still be legally and financially liable – and this is how 90% of healthcare breaches occur today. All the same, damages occur from third-party breaches – from regulatory fines to patient and reputational harm. But there are a series of problems that make vendor risk even harder to assess, manage and remediate. 

Three Challenges for Third-Party Risk Management 

Despite the clear need for improved security within healthcare supply chains, there are a series of problems that make vendor risk even harder to assess, manage, and remediate: 

1, Scale and Complexity 

Assessing and remediating risk across a large vendor network is time-consuming and complicated. Many security teams still run and document assessments manually within spreadsheets, which makes it virtually impossible to gain clear visibility of the entire network.  

The result? Risk prioritization is difficult, remediation is slow and hidden vulnerabilities easily slip through the cracks.  

2. Communication Challenges 

Third-party risk assessment, identification and remediation all require the active participation of the vendor. Executives are reliant on them to: 

  • Supply accurate, timely information 
  • Undergo assessments and remediation when requested 
  • Keep them updated with changes to their systems and security posture 

But this creates a huge lift for the security team for two reasons:  

  1. It creates a lot of admin work: The sheer volume of communications, especially when they are undertaken via multiple channels, makes it difficult to keep tabs on 
  1. Vendors are not always responsive: A recent survey found that more than a third of healthcare security teams are actively dissatisfied with their ability to receive transparent assurances from vendors about security, and nearly a quarter struggle to get vendors to respond to assessment requests 
  1. Historical Complacency: Many healthcare orgs have overlooked third-party risk management in the past – and are now scrambling to regain visibility and remediate a large volume of serious risks before it’s too late 

This is partly due to a change in the way third-party risk impacts them: providers used to simply sign a contract that committed the vendor to compliance requirements. They could take that to an insurer and be covered. However, healthcare cyber insurance contracts now have clauses in place that make the healthcare organization liable if they fail to fulfill certain obligations (such as having TPRM processes in place) – and that makes third-party vendor risk a major issue that most organizations are yet to address. 

Regardless of the cause, the reality is most healthcare entities today face an uphill battle to get third-party risk under control – and they need specialized tools to do that. 

Checklist

Essential Risk Management Tools in Healthcare: What Every CISO Needs in Their Tech Stack 

Risk managers need data and analytics to effectively pinpoint, contextualize, prioritize and remediate threats to their organization. As a result, a variety of software and tools have become a central part of every effective risk management program – but that presents two problems: 

  1. Manual effort: Executives must avoid overloading their teams with too many tools that require lots of manual effort to navigate. This is a trend seen across industries: a deluge of software leads to wasted spend, siloed data, and staff that don’t know which platforms they are supposed to be using 
  2. Specialization: Specific forms of risk require specialized cybersecurity tools that enable particular kinds of assessments and remediation. These include: 
    • Third-party risk: Streamline and centralize 100s of assessments being run simultaneously across different vendors 
    • Regulatory risk: Assess whether cybersecurity meets compliance requirements and enables easier regulatory reporting 
    • Workforce training: Reduce human error and ensure staff understand cybersecurity best practices and remain compliant 
    • Business analysis: Tools to help quantify and manage the potential costs of cybersecurity attacks and manage financial risk 

Ultimately, these two challenges have led a growing number of orgs to adopt a new approach to risk management. 

Understanding Integrated Risk Management (IRM) in Healthcare 

Most healthcare organizations know they have hidden vulnerabilities but lack the organization-wide visibility to identify, prioritize and remediate such weaknesses. However, new technologies are now allowing forward-thinking executives to overcome these challenges – and adopt an integrated risk management strategy. 

What is Integrated Risk Management? 

Integrated risk management (IRM) is an approach to cybersecurity that unifies all aspects of risk management within a single, centralized platform that provides a consolidated risk register. It is a combination of people, processes, and tools that enable organization-wide visibility, management and remediation – and this solves the most common overarching problem healthcare security teams face. 

Why Integrated Risk Management is So Important 

Most healthcare organizations approach risk in silos. A fragment digital ecosystem means their assessment data is distributed across multiple sources, and this leads to multiple problems: 

  • Poor visibility: Executives lack a clear view of organization-wide risks, which leaves many blind spots within the security system and makes it difficult to measure the trade-offs of risk prioritization 
  • Wasted resources: When executives attempt to improve visibility, they are forced to undertake hours of manual work gathering data, which means they have less time to focus on managing risk 
  • Accountability issues: Security teams are often unclear about which tasks they are responsible for, leading to fragmented remediation efforts that are often left uncompleted 
  • Security sampling: Many organizations attempt to save time and resources during security assessments by sampling a portion of their organization and applying the finding across the rest – creating a lot of room for error, which leaves the organization open to threats and non-compliance 
  • Low urgency: Without a clear view of organization-wide risk, it is harder to make a strong business case for remediation or convince executives of the severity of the threats the organization faces 

IRM solves all these problems, unlocking centralized visibility of every area of risk and making it easier to scale complex risk management programs across the entire organization. The goal is to create a transparent, accountable, and prioritized risk management environment that can keep up with the modern security landscape.  

How Can I Implement an Integrated Risk Management Approach? 

A successful IRM program has three key ingredients: 

  1. Executive buy-in: For most organizations, IRM requires a mindset shift that must predate any actual action; executives must understand and believe in the “why” of the program. This is key to unlock budget and ensure there are no bottlenecks or roadblocks to implementation 
  1. A comprehensive strategy: CSOs need to have clear objectives, a plan for achieving them and an accountable leadership team. For most organizations, IRM requires a mindset shift that must predate any actual action; they must understand and believe in the “why” of the program 
  1. A centralized platform: Every IRM program hinges on finding a platform that can remove data silos and provide a single source of truth for all assessments and mitigation and remediation efforts 

Intraprise Health has built exactly such a platform. BluePrint Protect™ seamlessly integrates tools of HIPAA SRAs and PBRAs, third-party risk management, and NIST assessments in a single place to provide a comprehensive executive view of organization-wide risk.  

The result? Executives can easily identify and prioritize risk, automate repetitive processes, and create a truly unified process for risk management that keeps patients safe, protects their bottom line and ensures executives’ personal reputation are not endangered by hidden vulnerabilities. 

Want to see it in action? 

Contact us

About the Author
Avatar photo

Scott Mattila, CSO, Intraprise Health

Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science.