How To Self-Assess Your Health Care Cybersecurity

How To Self-Assess Your Health Care Cybersecurity

Health and money – you can’t go a day without thinking about these topics. That’s one reason why health care cybersecurity is such a hot topic. Imagine this: a patient comes into the hospital for a routine checkup. Then she finds out that she has an aggressive form of cancer. In a moment, her whole world changes. Deciding when and how to tell people this sensitive information is a critical way to take back control over the situation. However, if there is a health care data breach, patients will suffer embarrassment, lost opportunities and confidence in the hospital. To stop these data security breaches from happening, you need to take a critical eye to your security.

Why Do You Need To Conduct A Health Care Cybersecurity Self-Assessment

Merely keeping up with your daily security demands is a tough demand. Why should you take a step back and review your cybersecurity program through a self-assessment? In brief, this is a critical process to get you out of “the weeds” of daily work and consider the broader state of your program. For example, you may focus most of your regular work on supporting user requests. As a result, strategic work like optimizing the cybersecurity training course for employees may take a back seat.

Conducting regular self-assessments helps you think strategically about security. Based on those assessments, you can make better decisions about where to focus your scarce resources.

What Should Your Self-Assessment Cover?

In a health care security self-assessment, we recommend covering a variety of areas. The depth and rigor of your assessment will need to be governed by a few considerations. First, what staff resources do you have available to complete the evaluation work? Second, what is the organization’s recent cybersecurity experience? If you have experienced an IT security event in the past 12 months, there may be added urgency and appetite to take a deep dive approach.

Organization and Resources.

Start by looking at how your organization has designed departments, job responsibilities and budgets to support security. In many organizations, security has become a higher priority in the past decade. Therefore, ask yourself whether the current resources in your health care organization keep up. With budget matters, keeping up with the growth and complexity of the organization is critical. For example, if your organization has introduced new health care robots and advanced technology, you need cyber experts to review these innovations for security risk.

Risk and Controls.

In cybersecurity, prevention is better than managing an incident. Therefore, we recommend assessing the controls – whether manual or automatic — that you have to address cyber issues. In health care cybersecurity, your risk appetite for a cyber incident like a data breach is likely to be very low. Therefore, your controls and the overall program will need to keep that fact in mind.


Today, everybody in the health care world has a role to play in cybersecurity. For example, a primary care physician needs to practice caution in how they handle email so that they avoid phishing campaigns. Assessing awareness doesn’t have to be complicated. Review what kind of training programs are offered to employees. You might also want to check if the organization participates in initiatives like National Cybersecurity Awareness Month.

Threat and Vulnerability Capabilities

In this area, we will start to look much closer at the technologies and systems you have in the organization. For example, examine whether you have access management software solutions in place for all users and systems. Besides, you will want to look at your processes to detect threats from the outside world that may impact your health care cybersecurity program. Make sure you look at your networks, mobile devices and every significant aspect of your infrastructure.

Cyber Incident Management

Even when you have the best cybersecurity in place, incidents will happen. The critical question is whether or not you have a playbook on hand to manage the event and its aftermath. If you have never experienced a health care cybersecurity incident, you are likely to have a weakness in this area. For example, do you have a written communication plan that describes how you will notify patients, regulators and employees about the incident? Clear, timely communication is critical in a security event.

Special Health Care Security Requirements

According to The Next Web, a single health care record may be worth up to $1,000 in the wrong hands. That reality means there is substantial incentive to attack organizations that hold this type of data. For health care organizations, HIPAA (Health Insurance Portability and Accountability Act of 1996) is a key requirement to understand. In order to fulfill HIPAA’s privacy needs, you need to have robust cybersecurity. In particular, we recommend reviewing the government’s HIPAA Security Rule guidance. That’s not all you need to consider. Your state may have additional regulations and laws you need to follow to protect health care data.

Two Strategies To Put The Health Care Cybersecurity Assessment Into Action

By this stage, you have completed your assessment process. You are probably wondering what you are supposed to do with the situation. Make sure you don’t simply save the file and move on with your day. The self-assessment process is only worthwhile if you take action as a result. Your areas of focus will vary depending on your results. However, here are some general tips on ways you can take effective action after finishing your assessment.

Leverage Automation

Keeping up with the demands of health care cybersecurity is impossible if you do everything manually. That’s why you need security software solutions. For example, use an IT security chatbot like Apollo to manage your employee password requests. This kind of automation also increases convenience and productivity for your employees.

Utilize External Experts

Once you free up capacity with automation, your IT security staff will be able to take on more challenges. However, they will still face some limitations. For example, your staff may not be skilled in conducting penetration testing. This is a crucial practice to verify the robustness of your IT security program. In that case, consider working with an outside expert to conduct this work.

Written by Nelson Cicchitto