Banner

Blog

Article

Holistic risk analysis is key to protecting your practice from cyberattacks

The volume of cyberattacks on health care facilities should be a resounding wake-up call for all physicians who own their practices.

Jaime Cifuentes: ©Clearwater

Jaime Cifuentes: ©Clearwater

Health care has the unfortunate distinction of being the most targeted industry for cyber attackers — and has the most expensive average cost of a data breach. In 2023, according to IBM’s 2024 Cost of a Data Breach Report, the average cost was just shy of $10 million, a top spot health care has earned in the report since 2011.

Not only are threat actors successfully breaching more organizations and records, but their attack methods are increasingly more sophisticated, now enhanced by artificial intelligence and machine learning. On top of this, unrelenting security issues remain across the industry. Many organizations still don’t prioritize vulnerability management, and they’re not patching for known security issues. When coupled with the human factor — that employees and third-party vendors fall prey to increasingly sophisticated social engineering and phishing schemes — it should be a resounding wake-up call for all physicians who own their practices.

Prioritizing data security and privacy

As we’ve seen with several noteworthy cyberattacks that have occurred in health care this year, just one breach can significantly impact operations, patient care, trust, and service delivery, creating the potential for significant HIPAA-related fines and penalties and even the possibility of criminal and civil actions against your business. Worst yet, one breach can put patient lives at risk.

These issues illustrate health care data vulnerability and why it’s critically important to prioritize data privacy and security for all your electronic patient health information (ePHI).

The most effective way to do this is to meet all HIPAA-required risk analysis standards. With a multi-layered, holistic security approach, physician practices can implement the right technical, physical, and administrative safeguards to keep patient data safe.

The critical role of effective risk analysis

The health care threat landscape is rapidly changing, even compared to just five years ago. Today, health care organizations embrace digital transformation, shifting more data to the cloud and sharing data with others to improve continuity of care.

Physician practices also offer patients mobile access to electronic health records, deliver care via telehealth, and use more advanced medical devices to manage and deliver patient care.

All of these innovations improve service delivery, but also introduce new data security and privacy risks. Many smaller practices don’t have the skilled staff, tools, or resources to track and manage all their assets, understand where and how data is used, what’s most critical to operations, can’t identify all potential security issues, or fix the ones that matter most. These issues create a significant security gap, one that can feel overwhelming, if not impossible, to close.

These gaps also exist in larger practices. While cybersecurity funding and tools may exist, finding and retaining skilled security professionals, especially those knowledgeable about increased cloud security risks, is an ongoing struggle.

Currently, there is a significant global shortage of four million cybersecurity experts. Projections indicate this talent gap could potentially reach 85 million unfilled positions across all industries by 2030. The economic implications of this shortfall are staggering, with an estimated loss of $8.5 trillion in annual revenue created by the lack of skilled workers to fill these roles.

Health care will not be immune to this fallout. Comprehensive risk analysis will be key to overcoming these barriers. Here’s how:

  • Proactively manage risk: Proactive risk identification guides physician-owned practices to implement appropriate and reasonable security controls for mitigation. This can decrease the chance of disruptions, data breaches, and financial losses.
  • Laser-focus resource allocation: Comprehensive risk analyses identify areas of greatest vulnerability, allowing practices to allocate limited resources toward actionable and effective security measures.
  • Ensure compliance: Identifying and addressing unique risks specific to each practice facilitates HIPAA compliance, as well as compliance with other regulations, to avoid potential fines and penalties.
  • Improve patient care and build trust: Protecting patient data through proactive risk management fosters patient trust and confidence.
  • Support business continuity: With holistic risk analysis, practices can effectively align their cyber and business risks. This facilitates increased preparedness for potential disruptions with a better understanding of possible operational resilience impact. With a more structured plan, physician-owned practices can ensure business continuity even when unexpected events like cyberattacks or other security incidents happen.

Don’t forget other stakeholders and vendors

Comprehensive risk analysis should also extend to your supply chain and key stakeholders, like the C-Suite and your board of directors. By incorporating those who access sensitive patient data and key decision-makers into the risk analysis process, your organization can get a more holistic view of your security posture and implement appropriate safeguards to protect your patients and their data.

Your controls are only as good as your people

While risk analysis and management strategies can help you continuously monitor and resolve security issues across your rapidly expanding attack surface, your plans, the tools you use, and the controls you implement are only as effective as the people who access your data.

Your organization can implement effective least-privilege access, multi-factor authentication, and other security measures. Still, if the staff or vendors who access that data fall prey to phishing attempts or other social engineering tactics, those controls rapidly become ineffective.

And while there are best practices every health care organization should consider, the most effective employee training and education programs are those specifically tailored to your organization's size, roles, and focus. This approach can build employee engagement and foster an understanding of risks related to each role. By addressing the unique cybersecurity needs of different roles and in organizational context, a tailored training plan can build a culture of cybersecurity awareness into the heart of your day-to-day operations.

Here are four tips to enhance your internal training programs:

  1. Keep it real: If you’ve had a previous security incident, use it (or real-world incidents in other health care organizations) to illustrate the potential consequences of cyberattacks.
  2. Focus on roles: Employees will better accept changes when they clearly understand what they mean and how they impact their work. Different roles have different access levels to sensitive data and systems. Tailor training to job functions. Focus on risks and responsibilities for each role. This can help employees handle actual threats they may encounter doing their jobs, not abstract fears of things that “might” happen.
  3. Try it and see what happens: Conduct regular social engineering and phishing attack simulations to test employees’ abilities to identify and respond to security threats. This provides hands-on experience, builds muscle memory for response, and identifies areas for additional training.
  4. Make it fun: If you tune out to dry lectures, unrelatable videos, and never-ending PowerPoint presentations, so will your employees. Make training fun and memorable. Use quizzes, games, and role-playing to keep employees engaged and interested.

Health care is an interconnected ecosystem, and it’s important that we all recognize the important role we play in keeping our organizations and the broader industry secure from cyberattacks.

Jaime Cifuentes is the Director of Consulting Services for Clearwater’s Physician Practice Management and Ambulatory team, bringing clients more than 20 years of information technology and security experience, including roles as virtual chief information security officer and security leadership. Reach out to Jaime with your questions at jaime.cifuentes@clearwatersecurity.com.

Related Videos
Kyle Zebley headshot