Healthcare Information Security Risk Management – What should I worry about…and Why?

Healthcare has one of the highest attacker risk profiles across all industries if not the highest due to the volume of PHI maintained and the impact if lifesaving medical systems are disrupted. The extremely high financial rewards for patient data sales, holding PHI hostage through ransomware attacks or the threat of crashing medical systems make it a favorite target for attackers (both internal and external). Information security risk management (ISRM) can be a daunting task to initiate and then maintain in the intensely data driven and continuously changing technology architectures within healthcare environments.

Simplified, risk management begins with the question, “What should I be worrying about and why?” The key to answering the question is the ability to monitor for unacceptably high risk created by potential information security threats and vulnerabilities that are inherent within healthcare organizations from both external and internal sources. With the increases in asset inventories, increased numbers of lifesaving devices being connected to the internal network and cloud infrastructures, increased usage of telemedicine and critical reliance on third-parties services to monitor risk across most organizations (or multi-organizations), especially those that are in the beginning stages of ISRM, is a an extremely large task. And as with all organizations, resources are finite.

Most healthcare organizations accelerate the process of answering the ISRM question by prioritizing which internal operations, technology, and third-party services monitor. The prioritization starts with a top-down approach using the following 5 organizational inherent risk categories: Patient Safety, Financial, Reputational, Operational (includes technology), and Compliance. An initial impact assessment is performed against high level operations, large information systems, and service providers to build risk profiles. The impact assessment is mapped to the above risk categories and scored. The operations, information systems, and service providers that score the highest in each of the risk categories are the first to risk-profile and monitor. What is monitored is based on the risk profile. For IT procedures: documentation, education, and proper execution is monitored. For technology: access management, configuration, change management, vulnerability management, etc.

Through monitoring changes in the risk profiles, management can answer the question; “What should I be worrying about and why?”. The process is iterative until the organization has included most operations, information systems and service providers.

Included in most ISRM programs is the monitoring of external information security risks to the organization. Changes in phishing and technology related attacks and regulatory requirements can require large resource expenditures and worse when the risk is identified after a vulnerability is weaponized or right before or after a regulatory requirement deadline. Monitoring examples are monitoring for applicable new system attacks, new vulnerabilities, new regulatory requirements (Updates to HIPAA, state and federal privacy laws and statues, etc.). Where unacceptable risk is identified, real-world recommendations need to be vetted and planned.

To assist healthcare organizations, Core Insights provides Healthcare Information Security Risk Management (HISRM) services:

• HISRM Program Development and Management

• Information Security Risk Assessments

• Resolve Billing Issues with Core Systems Such as EPIC (EMR)

• Identify Revenue Risk (Exposure and Missed Payments)

• Identify Ever Growing Deferrer Revenue Root Cause and Remediation

• Third-Party Risk Assessments

• External Information Security Risk Monitoring
  

In summary, we work with CEOs so they can off load the workload and responsibility to Core Insights and we manage the efforts, resources and reduce the risks leveraging their existing resources, contractors, MSSPs, and systems. We also recommend improvement strategies when appropriate.