March 17, 2017 • Published by Kurt Osburn
Risk Management • Security Assessments
The U.S. Department of Health and Human Services maintains an online database that HIT cybersecurity pros refer to as the “HHS Wall of Shame.” It’s an exhaustive listing of all healthcare data breaches resulting in the loss of 500 or more PHI records.
During my “Risk Hotfix” presentation at last month’s HIMSS17 Conference, I asked the audience if anyone wanted to step up and be the next player on the HHS Wall of Shame.
Crickets.
No one wants to end up there, but the fact is, 318 healthcare organizations were listed on the HHS Wall of Shame in 2016. Altogether, these breaches were responsible for the loss of more than 16 million records.
Understanding the security gaps that could put your organization on the Wall of Shame starts with conducting a proper risk assessment on a regular basis. In my experience, however, most organizations don’t ever get started.
You don’t want to do a risk assessment for HIT cybersecurity simply because someone tells you to, and especially not because you’ve suffered a breach! You want to be proactive in protecting your organization from security threats.
Risk assessments help you move from being reactive to a breach to being proactive in preventing them. Guess which way is less expensive in the long run.
After years in the field performing HIPAA and HITRUST based security risk assessments, I’ve learned that there are four gaps most HIT organizations share. Check out my HIMSS17 presentation, “Risk Hotfix: Closing the Top HIT Security Gaps” to learn which critical controls and processes are frequently absent; why they matter to your organization; and what you can do to fix these gaps fast.