Post-COVID cybersecurity has been driven to new heights of threats, costs, awareness, and accountability. With the latest Becker Healthcare press releases regarding breaches, it’s no surprise that cyber-insurance premiums are increasing by 50% or more. Every healthcare organization we speak with has Board-level “cyber” reporting and accountability.
What can you do to deliberatively improve your cybersecurity posture in 2024? Focus on protecting your infrastructure, cloud environments, and educating your people. How? Here’s a checklist:
1. Complete a Thorough Security Risk Assessment (SRA)
Completing a security risk assessment (SRA) is required per 45 CFR 164.308(a)(1) – the HIPAA Security Rule. The SRA is a federal requirement (CFR = Code of Federal Regulation). It’s also a baseline assessment of Administrative, Physical and Technical Safeguards that protect PHI.
When completing your SRA, create a risk register of the high, medium, and low risk to PHI. Then, using your risk register, create a compliance remediation plan that accounts for every risk factor uncovered during your SRA. Finally, use your plan to guide the process of compliance remediation.
2. Complete a Black-Box Penetration Test
Complete at least a black-box penetration test of your environment. Use an “ethical hacker” with “Rules of Engagement” to uncover your infrastructure’s vulnerabilities. Then, post-pen test, remediate the discovered vulnerabilities.
3. Identify Your Organization’s Third-Party Risks
- First step: Determine which third-party vendors have access to your environment.
- Second step: Verify all vendors who have access to your organization’s PHI have been identified as Business Associates (BAs) and have signed your Business Associate Agreement (BAA).
- Third step: Demand each BA provide evidence that they have completed a security risk assessment (SRA) per #1 (above). If they’ve signed your BAA and have not completed an SRA, then they are in violation of your BAA.
- Fourth step: Parse your third-party vendors into high, medium and low risk. Send high-risk vendors a questionnaire that thoroughly reviews their business practices as they relate to working with your organization.
- Fifth step: Send medium and low risks vendors a questionnaire that provides the due diligence needed for your organization. The best practice is to use a third-party risk management (TPRM) tool like BluePrint Protect.
4. Consider NIST
Based on your results (from #’s 1-3, above), consider a NIST CSF (Common Security Framework) or NIST crosswalk-to-SRA assessment.
5. Build an Integrated Risk Management Dashboard
Armed with #1-4 (above), build an integrated risk management dashboard (IRM). From Board-level to individual contributors, the IRM gives the organization a unified view of risks – both actionable and accepted risks.
Conclusion
What’s the next step? Begin. No hesitation. Not, “When we have time”. The Bad Guys are trying to break in and/or wreak havoc on your organization right now. Best first step? Call Intraprise Health. From SRA to TPRM and IRM, as HITRUST Assessors, Intraprise Health has seen hundreds of situations just like yours.
Improve your cybersecurity posture with a fully automatic, centralized software. Learn more about ensuring full HIPAA compliance by getting in touch with the HIPAA experts at Intraprise Health.