How to conduct an effective IT risk assessment for your healthcare organization

When most of us think about cybersecurity, we tend to think of major financial institutions employing top notch security systems. However, there's another industry in desperate need of a comprehensive IT security infrastructure, and that's healthcare. In the past few years, the healthcare sector has seen a giant leap in the advancement of medical technology. In 2019, 60 percent of healthcare organizations globally introduced the use of IoT devices at their facilities. But with new technologies comes new security threats to combat. 

Healthcare organizations need to revamp their IT security plans and evaluate the threats their systems face. No one can mitigate every cyberthreat there is, but understanding loopholes that exist in a system can help organizations create plans to circumvent the majority of attacks and recover from those inevitable attacks (think zero-day attacks) that occur.

Create an inventory of all your assets

A 2019 survey estimates that data loss will cost healthcare companies $6 trillion in the next three years. With that many zeroes on the line, you can't afford to be cavalier about the data you have stored. 

You need to ask yourself, "What data does my organization use everyday?" First is likely patient health records that doctors refer to on a daily basis. A loss or breach of these records could bring operations to a screeching halt, could result in tampering of data that could harm patients, and would be a major breach of industry standards and regulations like HIPAA. Healthcare organizations also need to account for any Internet of Medical Things (IoMT) devices on the network that could provide a gateway to hackers looking to compromise a network. After gaining access, hackers can wreak havoc by tampering with medical devices and adjusting the dosage of drugs being administered to patients.

Regardless of the size of the organization, it's important to make an inventory of assets that could disrupt your operations and cause a loss in business. In a large organization, various departments have their own assets they deem crucial to operations. So, it's wise to assign people from each department to work out the possible risks they face. More details about the steps your organization can take are provided in the "Quantify the risk involved" section below.

Do the math to see how your business will be affected

Now that you've taken inventory of the assets in your organization, you need to do some math. Estimate the damages your business will incur if these assets are compromised. If it's your patient records or the devices on your network, you'll have to estimate the total losses you'd incur and how much you'll have to spend on damage control. For example, if your electronic health records (EHR) are breached, you may be forced to stop treating patients until you can find a solution to the problem. You'll likely also be facing hefty fines if your organization is found to have violated industry regulations.

Analyze what situations pose a threat

Explore every avenue through which your business could be affected. Threats take many disguises, and might result from natural disasters, power failures, or malicious attacks such as distributed denial-of-service (DDoS) attacks on your servers.

Figuring out all the potential threat takes a bit of imagination. For example, critical servers stored in the basement of your building could be at risk if your area is prone to floods. This is where paying close attention to HIPAA's guidelines on formulating contingency plans will help. For example, HIPAA requires healthcare organizations keep at least three copies of their data stored in two different media formats, and at least one copy must reside offsite. 

Organizations also face insider threats; employees with access to critical resources could leak or tamper with data.

Look for possible vulnerabilities

Every organization has its own vulnerabilities to tackle, and identifying them gives you a good idea of just how at risk you organization is. Old medical equipment and network systems are vulnerable to intrusions. Untrained staff who could unintentionally compromise your systems are also a major vulnerability. Just look at what happened at Montpellier University Medical Centre when an employee opened an email that proliferated a virus through the network, infecting over 600 computers.

Quantify the risk involved

To estimate the risks your business faces, assign a risk value to each asset you have in your inventory using this formula:

Risk = Threat x Vulnerability x Business impact

Assign a value of "High," "Medium," or "Low" to the threat, vulnerability, and business impact of each asset in case of a breach. This way, you'll be able to determine which assets you need to prioritize your security strategy around. 

For example, take a look at the table below:

Since EHRs are one of your most important assets, the business impact and overall risk will both be high. Another asset, like a portable glucose meter, might supply medical professionals with fewer critical and potentially life-threatening pieces of information, since it pertains to a specific condition. It also might be weighted differently compared to an EHR that provides comprehensive data about a variety of health factors. Both rely on the experience and subjectivity of the IT security analyst for assigning "High," "Medium," or "Low" values as they relate to the individual healthcare organization. 

Understand your risk appetite

After risk analysis, you've got to answer the big question. Just how much risk are you willing to take? Sometimes the investment into tackling all these risks outweighs the value of risk itself. It's best to focus on addressing the biggest risks to business-critical resources first so that your business can continue to function.

On top of this, risk evaluation of your healthcare facility is not a one time process. It's a constantly evolving process that requires constant attention. Understanding the risks your organization faces helps you get started in the risk assessment process, after which you can customize the process to suit your business needs.

Related blogs


Change the way you manage security.

Defend against sophisticated threats.

Get started with Log360 UEBA.

© 2019 Zoho Corporation Pvt. Ltd. All rights reserved.