Blog

How To Improve Your Healthcare Cybersecurity Posture In 2024

Post-COVID cybersecurity has been driven to new heights of threats, costs, awareness, and accountability. With the latest Becker Healthcare press releases regarding breaches, it’s no surprise that cyber-insurance premiums are increasing by 50% or more. Every healthcare organization we speak with has Board-level “cyber” reporting and accountability. 

What can you do to deliberatively improve your cybersecurity posture in 2024? Focus on protecting your infrastructure, cloud environments, and educating your people. How? Here’s a checklist: 

1. Complete a Thorough Security Risk Assessment (SRA)

Completing a security risk assessment (SRA) is required per 45 CFR 164.308(a)(1) – the HIPAA Security RuleThe SRA is a federal requirement (CFR = Code of Federal Regulation). It’s also a baseline assessment of Administrative, Physical and Technical Safeguards that protect PHI

When completing your SRA, create a risk register of the high, medium, and low risk to PHI. Then, using your risk register, create a compliance remediation plan that accounts for every risk factor uncovered during your SRA. Finally, use your plan to guide the process of compliance remediation.hipaa-compliance-quiz-intraprise-health

2. Complete a Black-Box Penetration Test

Complete at least a black-box penetration test of your environment. Use an “ethical hacker” with “Rules of Engagement” to uncover your infrastructure’s vulnerabilities. Then, post-pen test, remediate the discovered vulnerabilities. 

3. Identify Your Organization’s Third-Party Risks

  1. First step: Determine which third-party vendors have access to your environment.  
  2. Second step: Verify all vendors who have access to your organization’s PHI have been identified as Business Associates (BAs) and have signed your Business Associate Agreement (BAA).   
  3. Third step: Demand each BA provide evidence that they have completed a security risk assessment (SRA) per #1 (above). If they’ve signed your BAA and have not completed an SRA, then they are in violation of your BAA.
  4. Fourth step: Parse your third-party vendors into high, medium and low risk. Send high-risk vendors a questionnaire that thoroughly reviews their business practices as they relate to working with your organization.
  5. Fifth step: Send medium and low risks vendors a questionnaire that provides the due diligence needed for your organization. The best practice is to use a third-party risk management (TPRM) tool like BluePrint Protect. 

4. Consider NIST

Based on your results (from #’s 1-3, above), consider a NIST CSF (Common Security Framework) or NIST crosswalk-to-SRA assessment. 

5. Build an Integrated Risk Management Dashboard

Armed with #1-4 (above), build an integrated risk management dashboard (IRM). From Board-level to individual contributors, the IRM gives the organization a unified view of risks – both actionable and accepted risks.  

Conclusion 

What’s the next step? Begin. No hesitation. Not, “When we have time”. The Bad Guys are trying to break in and/or wreak havoc on your organization right now. Best first step? Call Intraprise Health. From SRA to TPRM and IRM, as HITRUST Assessors, Intraprise Health has seen hundreds of situations just like yours. 

Improve your cybersecurity posture with a fully automatic, centralized software. Learn more about ensuring full HIPAA compliance by getting in touch with the HIPAA experts at Intraprise Health. hipaa-one-compliance-software-intraprise-health

About the Author
Avatar photo

Scott Mattila

Linkedin
CSO, Intraprise Health
Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science. See full bio