Last week, the National Health Information Sharing and Analysis Center (NH-ISAC), an organization dedicated to advancing health sector cybersecurity protection, held a webinar in which a representative from the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications (“DHS”) offered insight regarding how healthcare organizations can effectively manage cyber risk.
The webinar opened with a description of the prevalence of data breaches amongst healthcare organizations. Specifically, according to the Ponemon Institute, 94% of healthcare organizations have experienced at least one data breach, the average cost of which is $2.4 million for a healthcare organization, or $194 per record involved. The majority of these data breaches are caused by missing/misplaced devices, unintentional employee actions, or third party errors.
The presentation then highlighted the importance of conducting internal assessments and audits by stating that such measures lead to the discovery of 52% of data breaches. Therefore, risk management is a vital component of any healthcare organization in order to identify breaches quickly and mitigate damage early. Risk assessments are one element of a successful risk management program. A risk assessment consists of identifying threats and vulnerabilities, considering regulatory requirements including but not limited to HIPAA, documenting security measures in place, and creating a corrective action plan to address needs going forward.
The DHS focused on one model for risk management in particular: the Cybersecurity Assessment and Risk Management Approach (“CARMA”). CARMA advocates the following steps to manage cyber risk: 1) scope risk management activities; 2) identify cyber infrastructure; 3) conduct cyber risk assessment; 4) develop cyber risk management strategy; and 5) implement strategy and measure effectiveness.
Regardless of the exact model that an organization selects, it is important for all healthcare organizations to contemplate and implement a risk management program in order to lower the risks of and mitigate the damage from data breaches.