Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

E-News Exclusive

Cybersecurity Risk Prevention in 2023: Three Gaps to Close

By Gerry Blass

Health care investments in privacy and security are set to explode in the wake of ongoing cyberattacks and rising risk. Know the three most important risk areas to fortify and be prepared for the 2023 surge.

Investments in cybersecurity are a top priority for health care executives, according to a recent survey from Bain & Company conducted in collaboration with KLAS Research. Along with revenue cycle management software and patient flow automation, investments in privacy and security lead 2023 technology investment priorities following a wave of cyberattacks and rising risk.

For example, data breaches are up nearly 40% since 2020, according to the same report, and they are growing increasingly expensive. One of health care’s most recent breaches, a ransomware attack at CommonSpirit Health that forced EHR shutdowns and patient appointment cancellations, emphasizes the need for immediate cybersecurity risk prevention. If ransomware can attack a 142-hospital health system, it can strike us all.

There are three specific gaps for provider organizations to watch in the year ahead: vendor risk management (VRM), internal audits, and disaster recovery plans.

Inadequate Vendor Risk Management Programs
Most health care data breaches reported to the Health and Human Services (HHS) Office for Civil Rights thus far in 2022 involved third-party vendors. This upturn in vendor-related breaches implies that nefarious actors are targeting business partners rather than the health systems. The trend also elevates the importance of an effective VRM program as a crucial component of an organization’s complete cybersecurity and disaster recovery business continuity (DRBC) plan.

Here are three points to consider when updating your VRM program.

• All third-party vendors that capture, store, receive, exchange, or use an organization’s electronically protected health information (ePHI) should be assessed annually and ranked as low, medium, or high risk.

• The type of third-party vendor is less important than how the company uses ePHI.

• More third-party vendors will enter the health care ecosystem in 2023, including digital apps for patient disease management, hospital-at-home technology, revenue cycle automation, and more.

The National Institute of Standards and Technology is updating its Cybersecurity Framework from version 1.0 to version 2.0 in 2023. Compliance with the new framework should be another evaluation factor for an organization’s third-party vendors.

Incomplete Risk Registers
Health care’s workforce shortage is well documented. Organizations nationwide are experiencing tremendous personnel gaps. This often includes insufficient IT resources to conduct internal privacy and security audits or mitigate cybersecurity risks.

When internal cybersecurity audits get pushed out, updates to the organization’s risk register are a practical next step. A complete risk register provides vital information in the case of an audit, details risks that could affect business, and gives departments an autonomous roadmap for the year ahead.

At a minimum, the organization’s risk register should include the following:

• an inventory of all identified risks;
• grading the risks based on likelihood and/or impact;
• the best course of action to address each risk; and
• targeted list of risks for additional attention to manage.

Risk registers and VRM programs are both parts of a complete DRBC plan. Now is also the time to update the DRBC for 2023.

Outdated Disaster Recovery Business Continuity Plan
Extended downtime, as experienced during the CommonSpirit Health breach mentioned above, is a frequent outcome following cybersecurity attacks. Patient care applications, biomedical devices, ePHI, and patient safety are all at risk when extended downtime occurs.

DRBC plan updates should address extended breaks in system access—even beyond three full business days. Here are three new questions to include in an organization’s 2023 plan.

• What does extended downtime look like for each department?
• What is the business impact analysis of extended downtime?
• What additional education is needed to prepare for extended downtime?

The three gaps mentioned above are solid starting points for cybersecurity risk prevention activities. To further support the healthcare industry’s efforts, HHS produces and continually updates a health industry cybersecurity practices (HICP) quick start guide. The guide is a valuable resource for all health care organizations.

HICP Guide Is Essential Cybersecurity Risk Prevention Playbook
The HICP guide is designed to help small, medium, and large health care provider organizations prioritize what is important and support the national health sector’s cyber preparedness. All five HICP threats and 10 controls mentioned in the guide should continue to be highlighted during 2023.

HICP is voluntary for health care organizations. Use of HICP is not required by law. It is a carrot incentive for better health care cybersecurity prevention vs a stick. And there are significant benefits for organizations that document at least 12 months of compliance with HICP guidelines.

• mitigation of any HIPAA fines;
• early favorable termination of any HIPAA audit; and
• easing of remedies within any HIPAA resolution agreement with HHS.

Prioritizing cybersecurity risk using the HICP in combination with the new technology investments planned by health care executives will place health care provider organizations on solid ground for the year ahead. Risks will always abound but adopting a culture of cybersecurity hospitals prepares health systems and physician groups to stay ahead of the game and protect their organizations.

— Gerry Blass is CEO of ComplyAssistant, which provides governance, risk, and compliance software and health care cybersecurity service solutions. Blass cochairs the New Jersey HIMSS Privacy, Security, and Compliance Committee and participates in national and local chapter events that include New York, New Jersey, and Delaware Valley. He regularly writes for health care compliance and health IT publications and is an active member, contributor, and speaker at industry association events with HIMSS, HFMA, NJPCA, NJAMHAA, and HCCA.