Countless healthcare organizations have been targeted recently by cyber attacks, and many were caught with little to no IT security safeguards in place. The most frustrating thing is that it could have been prevented if proactive security measures had been taken.
The more technology you add to better serve your users and patients, the more vulnerable you become. A great way to ensure that your security program is cost-effective, relevant, compliant and appropriate for the real risks it faces is to complete a healthcare security risk assessment.
HIPAA requires that healthcare organizations analyze their IT security risks.
HIPAA section 164.308(a)(1)(ii)(A)
1.1 Risk Analysis - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity. (REQUIRED)
Conducting a formal security risk analysis involves identifying, analyzing and reducing (to an acceptable level) your organization's risk of data breach.
Like any other organization, a healthcare security risk assessment will produce the following:
- An established method of identifying the organization's assets and their associated risks in terms of events that could occur;
- A detailed estimate of the likelihood and projected impact of specified events; and
- Suggested remediation or countermeasures to prevent or limit the impact of these events.
Begin by identifying your goals.
The four main goals of a risk assessment are:
- Identify assets and the asset values: This involves reviewing and documenting all devices which process, protect and secure the ePHI environment.
- Identify the risks: What happens if there is a failure or breach of a documented asset's security or the security environment?
- Quantify the impact of potential threats: What are the financial implications for each identified risk?
- Define the economic balance between the impact of the risk and the cost to mitigate that risk: Is it going to cost more to eliminate the risk, or should that risk be accepted as a feasible trade-off?
Organizational leaders recognize this process as an important step to managing and getting their hands around a secure environment.
Doing nothing isn't worth the risk.
The latest numbers indicate that the average data breach costs over $3 million. The average risk assessment costs between $15k and $40K, depending on the size of the organization. Is doing nothing worth the risk?
It really is never too late to find out where you stand with a HIPAA IT security risk assessment. Knowledge is the key to finding the security gaps and filling them with the right technology or service.