Security Risk Assessment and the Danger of Minimums

The danger of minimums, when it comes to securing a healthcare practice, can prove costly. Industry reports show a record-breaking 25% increase from 2019 to 2020 in large data breaches among healthcare organizations, with countless more unreported. Costs associated with these incidents run in the millions,on average $7.13 million per incident in 2020!  Facing competing priorities in security compliance and business operations, practice administrators with limited resources are tasked to adequately address both without compromise. It is, however, possible to strike an effective balance between healthcare regulations and security compliance–through a full-scope security risk assessment.

Traditional measures for security compliance can lure practices into a false sense of security. While most have likely completed a security risk assessment (SRA), it was likely simply a series of questions with a “Yes, No, or In Progress” response.  This checkbox method offers no real function in lowering the risk of breach. Likewise, Questionnaire SRAs, with their narrow questions and simplistic response options fail to address the whole security risk picture. For example, questionnaires expect a Yes/No response to such nonspecific questions as “Does the practice use encryption?” or “Do you have antivirus software? These minimum inquiries fail to cover the full scope of risks associated with faulty encryption or out-of-date security software. More important than checking yes or no is knowing the answers and resolving issues associated with deeper inquiries like “Does encryption cover data that is emailed? Are backups encrypted? Has there been any testing? Is antivirus up-to-date? Does each and every workstation have this software?”

Competing Priorities–Security and Operations

An effective security risk assessment goes beyond the familiar minimums of “Check Box Compliance.” Your practice and your patients deserve better. Assessing security risk is not one size fits all; which is why it is important to first evaluate your practice’s needs in order to develop a risk assessment plan that best suits your needs. Competing security risk priorities you will need to consider include:

  • Protecting the practice from breach
  • Keeping all important systems accessible
  • Securing patient information
  • Adapting technology to workflow changes
  • Updating technology with advancements
  • Complying with HIPAA and all other applicable regulations

Then, practices must also weigh the priorities of daily operations, including: 

  • Managing cash flow
  • Optimizing workflow
  • Staffing
  • Patient experience
  • Securing and maintaining facilities
  • Managing physician/owner expectations

Preparing the Way for Change [Resources and Perspectives]

Allocating resources to effectively address security compliance while effectively improving operations can be the greatest challenge of all. Nevertheless, the statistics and reality continue to prove the cost of security breach is exponentially more expensive than choosing to delay or incrementally improvements. Of course, managing cash flow, staffing, and other operational priorities remain essential in the industry; however, implementing proactive risk management to avoid a security breach can be the difference between thriving or crippling operations.  In effect, a complete Security Risk Assessment keeps the doors open, creating operational stability by attacking risk and avoiding service disruption. 

Conducting an effective SRA requires the coalition of two important perspectives–technical and administrative. Technical expertise provides a thorough understanding of security best practices and healthcare requirements while a strong administrative perspective guides decisions that are specific to the practice’s systems and workflows. Identifying, and then utilizing, key people/partners in these areas will ensure operational workflows synergize with technical controls for maximum effectiveness.

Full Scope SRA

Evaluating existing vulnerabilities as well as potential for future breach within your practice requires a full scope SRA.

According to PEAKE’s Chief Operating Officer, Mary M. Knotts:

“Looking at the entirety of risk within an organization presents the organization with a clear map of priorities, which allows available resources to be applied in the most effective manner possible.”

PEAKE has identified six essential steps toward obtaining the primary point of a full scope SRA–that is, to set a Risk Priority Score.

Six Steps to Score Risk Priority

  • List critical business assets
  • Evaluate possible threats
  • Identify vulnerabilities
  • Rate threat risk
  • Rate organizational impact
  • List current controls

Equipped with this valuable information, practices can use the Risk Priority Score to develop a plan that balances healthcare regulations and security compliance unique to each practice’s operations. This roadmap of risk, representing both technical and administrative perspectives, can systematically drive out risk even when new threats are identified, workflows and technologies change, or regulations require further adjustments to the plan. 

A Healthcare Security Risk Assessment (hSRA) by PEAKE will help avoid a security disaster and ensure that your organization meets the latest federal security requirements.

Work with a Trusted Healthcare IT Partner 

At PEAKE Technology Partners, we specialize in healthcare IT. We work with medical practices on the East Coast, and we have physical offices in Maryland and North Carolina’s Research Triangle Park. We provide a wide range of healthcare IT services to keep your practice’s IT systems running with minimal lag time and with maximum security. We can help you speed up your EMR and can definitely work with you to select a new EMR that meets or exceeds your practice’s needs now and in the future.

The best part? As a fully managed service provider, we promise 24/7 monitoring and rapid response. Call us at (866) 357-3253 or use the contact form to schedule a conversation.


Ready to Elevate Your IT?

How can we help?

Want to learn more about how we can partner with you to support your IT needs? Get in touch with our team by filling out the form below or call (866) 357-3253