# Opener

Continuous Risk Assessments Unify Healthcare Cybersecurity 

Published by Benjamin Lorentzen

Welcome to Axio’s series on cybersecurity for healthcare providers, where we share expert insights and practical advice tailored to the unique security needs of the medical sector. Our aim is to equip healthcare security professionals with the knowledge and tools necessary to safeguard sensitive patient data against increasing cyber threats. Each installment of this series will explore various aspects of cybersecurity risk management we have deployed with Axio customers. By staying informed and proactive, healthcare providers can ensure a secure environment for both their patients and their practice.   

In our previous post, The Perilous Quest for Cybersecurity Funding in Healthcare, we set the stage, addressing tight budgets, connected devices, complex business structures, and ransomware threats.  

In this post, we discuss cyber risk assessments for healthcare providers and how they can be designed to be a continuous process. 

Introduction 

The connected technology employed by healthcare organizations is being proliferated to enable the organization to operate efficiently and effectively and provide for better patient care. Patient health and safety drives the technology strategy, and the cybersecurity program is there to reduce the risks associated with using that technology and should also be aligned to the business’s strategy. As healthcare organizations add more technology, they are at the same time increasing the dependency on the infrastructure to be available, confidential and provide accurate data.

Concurrently, the threat landscape is continuously evolving. New zero days are a certainty, and attackers can change tactics quicker than budgeting cycles will ever allow defenders to keep up with. Given these conditions every healthcare organization must continuously improve its security just to maintain their current level of patient care, safety, effectiveness, and efficiency.

To compound this problem the healthcare industry continues to evolve; mergers and acquisitions have become commonplace, leading to the emergence of large, multi-faceted healthcare systems. While these mergers offer numerous benefits, they also introduce complexities, particularly in the realm of cybersecurity. One of the most pressing challenges facing these consolidated healthcare systems is the significant variation in the maturity of cybersecurity controls across healthcare organizations and a variation in the different systems to manage even if it is just temporary following the merger .

The Benefits of Continual Evaluation and Adaptation  

Challenges in the evolving environment can be addressed by performing cybersecurity assessments annually and at multiple levels within healthcare organizations. Assessments should be the foundation of any continuous improvement program as they are great tools to help identify areas for improvement within an organization. For any given assessment, what areas have indications of low maturity? What could be done to improve the maturity in those areas? And, most importantly, will those improvements materially impact the security posture and risk to the organization and their patients?

Continuous Assessments  

Gaps will change year over year, some area will lose focus, others will gain attention as technology environment changes, vulnerabilities change, and the bad guys change tactics. What was true last year won’t be true on your next assessment and what was good enough has slipped to become an area of undue risk. Performing assessments annually is not a nice-to-have but an imperative. With the increased scrutiny and liability on CISOs to perform diligence and duty of care, every organization must be looking at themselves annually and using the results to perform risk assessments. This is the foundational step for any continuous improvement and risk management process.

The Need for Multi-Tiered and Aggregate Assessments  

To address the challenge of inconsistent maturity due to mergers and acquisitions or due to differing operational requirements across an individual organization, it is also crucial to evaluate at other levels of the organization. Just because controls are present at the top of an organization doesn’t mean they make their way down into all areas of the health system.  Evaluating at multiple levels can help to identify gaps and potential risks to the broader organization. All too often, bad actors enter an organization where controls are missing and then spread from there. Failure to look at the lower tiers may mean you have unidentified gaps and risks.

An additional use for assessments is to perform an evaluation prior to M&A activity as part of the deal diligence process. An evaluation may uncover unsavory conditions within the organization that may be material to the final price especially if it will put the broader organization at undue risk.

By conducting cybersecurity assessments regularly and at multiple levels of the organization, healthcare systems can identify weaknesses, prioritize remediation efforts, and cultivate a proactive approach to cybersecurity governance. Just identifying areas of improvement is only the first step in the continuous improvement and risk management process. In our next blog we will dive into how risk assessments and more specifically, cyber risk quantification (CRQ), fits into the process.

This is too Much Work 

Reviewing your maturity annually is necessary diligence and an imperative as the technology changes within your organization and the threats change tactics. With the Axio360 platform, organizations can complete assessments once and use the responses at multiple levels of the organization. This allows organizations to spend less time answering questions for controls that are provided at the top. Additionally, with the aggregate dashboard, leaders can quickly see areas of concern across their organization on a single screen. This improves time to value in identifying areas for improvement within your organization.

Conclusion  

Addressing variations in cybersecurity maturity within healthcare systems is a complex but imperative undertaking. Continual evaluation and adaptation, coupled with comprehensive assessments at multiple levels of the organization, are essential strategies for mitigating risk, enhancing resilience, and fostering a culture of cybersecurity excellence. By embracing these principles, healthcare systems can navigate the challenges posed by mergers and acquisitions, safeguarding patient data and medical equipment in an increasingly interconnected industry.

Next Up: While identifying potential improvements is the first step in the continuous improvement and risk management process; a random list of potential improvements isn’t everything. In our next blog we will discuss how organizations can quickly and easily leverage cyber risk quantification to prioritize and evaluate their potential projects.

Register for our webinar: Critical Cyber Concerns for Healthcare Providers in 2024