Is your organization taking adequate measures to mitigate evolving cyber risks?
Risk analysis is about anticipating “What if?” based on statistics, experience, and expertise. Now, more than ever, it is critical to anticipate “what if” as our healthcare delivery model is rapidly changing. Understanding organizational risks, and threats, and managing them to an acceptable level is where expertise matters most. tw-Security has that expertise! We have conducted hundreds of risk assessments and risk analyses; therefore, our processes are well-defined.
Our risk analysis process is a “true” risk analysis. A risk analysis is a systematic and ongoing process of identifying threats (internal and external), controls, vulnerabilities, likelihood (or probability), impact, and an overall risk rating. If any of these steps are missing – it’s not a true risk analysis. A risk analysis ensures that your limited resources are being applied where they are most effective.
How “thorough” is your risk analysis?
Healthcare organizations possess a wealth of information (medical, financial, payroll, research, credit card, strategy, etc.) that has high value to cyber thieves and nation-state actors. Specific to health information, the Office for Civil Rights (OCR) expectation is to conduct a risk analysis regardless of the particular electronic medium in which it is created, received, maintained, or transmitted or the source or location of electronically protected health information (ePHI).
Our approach is based upon the guidance from the National Institute of Standards and Technology (NIST) and documents created by the Department of Health and Human Services (HHS) and/or the Centers for Medicare and Medicaid (CMS).
The Prioritized Action Plan becomes your “road map.”
The result of a risk analysis is a prioritization of risks. All businesses and organizations operate at some level of risk. With limited resources, risk analysis assures that resources are being applied where they are most needed. Risks that are above the organization’s risk tolerance are included in a prioritized action plan. Risk management is the implementation of security safeguards and controls to reduce risk to an acceptable level and to maintain that level of risk.
Our risk analysis documents, submitted by customers during an audit or an investigation, have been accepted by the federal Department of Health and Human Services (HHS) and more than one state as meeting the criteria for risk analysis.
Contact tw-Security to view examples of our work products and deliverables.
A ransomware incident can severely impact patient safety and the organization’s financial health. The trends in hacking and unauthorized access (mostly attributed to phishing) continue to rise, presenting significant challenges to the healthcare industry. Ransomware, the fastest growing malware threat, on a covered entity’s or business associate’s computer systems is a security incident and could be a reportable data breach to federal and state authorities.
Along with the risk analysis, we can evaluate your readiness to prevent and respond to a ransomware incident by defining strengths and improvement opportunities. We gather ransomware-specific data and map it to the National Institute Standards and Technology (NIST) incident response phases and 14 critical control categories using a weighted score and provide prioritized recommendations.
Some cyber-insurance carriers are requesting detailed information on ransomware preparedness.