Risk Assessments Are About More Than Compliance

The healthcare sector is increasingly becoming a target for cybercriminals and with a plethora of valuable information and inconsistent security procedures it’s easy to see why it’s an enticing target. In this environment of ever increasing risks, it’s critical that healthcare organizations and their business partners implement information security management practices that go far beyond just focusing on HIPAA compliance.


One of the biggest mistakes many healthcare entities continually make, regarding protecting patient information from cybercrime, is taking a compliance-centric approach to information security. Healthcare providers and others are dealing with a constantly changing threat landscape that requires changing the focus from mere compliance to active risk management. That risk management needs to encompass every aspect of a provider’s business, which includes any risk associated with vendors or other third parties. The enormous breach that Target suffered was possible because hackers were able to use one of Target’s vendors as an entry point. When you look at the large numbers of third parties that have access to PHI and other sensitive information it’s easy to see how the healthcare industry needs to take a holistic view of their risk profile. Unless your information security programs and protocols account for third-party risk, you’re setting yourself up for potentially devastating breaches.


A second mistake many healthcare organizations and their business partners make when it comes to effective risk management is not involving the right people in risk assessment processes from the get go. Risk management needs to involve decision makers from a variety of departments in order to have a more holistic view of the threats and vulnerabilities faced by the organization. If you don’t have the right people at the table from the beginning, any assessment is not set up for success; at best, it’s set up for partial success.


Moving forward it’s important to ensure organizational vigilance. Being prepared to defend against cybercrime will become more challenging in 2015 as hacking attacks become more common and sophisticated. When it comes to patient information, it’s important to remember that Social Security numbers are the single most valuable piece of data that hackers are after, but something as simple as names, addresses, and phone numbers can also be used by criminals as a recent breach at J.P. Morgan Chase demonstrated.


If you’d like to find out more about how a Facilitated Risk Assessment can help you keep your organization safe call ITPAC today.