BLOG

by Angela Fitzpatrick

As the cybersecurity and regulatory landscapes continue to change and escalate, healthcare organizations find themselves juggling a myriad of priorities within their security strategy. They must ensure they have adequate assurance options while dealing with the increasing intertwining of cybersecurity with other functions such as procurement, compliance, and digital transformation. 

Healthcare organizations are responding to these shifts by broadening their security operations, highlighting the need for security leaders to strategically understand the use cases for cybersecurity within the business. Healthcare organizations are also redefining the role of security assessors, shifting from merely applying standards to understanding how these standards fit into the larger cybersecurity framework of the organization. 

Escalating Cybersecurity Attacks

The rising value of patient data, including protected health information (PHI) and personally identifiable information (PII), makes healthcare organizations a prime target for cyberattacks. This data is highly sought after in the black market, with values skyrocketing to 10 to 40 times more than credit card numbers. 

According to the 2023 Cost of a Data Breach Report by Ponemon Institute and IBM Security, the average cost of a breach for a healthcare organization is close to $10 million, a significant 53% increase from 2020. This cost surpasses the average cost for breaches across all industries in 2023, which stands at $4.45 million. 

The Health and Human Services (HHS) Office for Civil Rights (OCR) "Wall of Shame" reveals a distressing trend that aligns with these figures. From January to November 2023, nearly 500 breaches were reported to the Office of Inspector General (OIG). Each breach affected 500 or more individuals, a sharp increase from the 278 reported breaches during the same period in 2022. The scope of these 2023 attacks varied from 500 to over 11 million individuals, resulting in more than 90 million individuals suffering from data breaches. The attacks were reported across 300 provider organizations, 120 business associates, and 73 health plans, with the majority being hacking incidents (407). This was followed by unauthorized access or disclosure (80), and theft (7). 

Although it's alarming to see the escalating cost and frequency of cyberattacks, perhaps the most unsettling fact is that a mere one-third of these attacks were detected internally by security teams or tools. Even more startling is the revelation that the attackers themselves reported the majority of these breaches, accounting for 67% of the total. 

The incessant cyber onslaught aimed at patient data has left healthcare organizations in a frantic search for solutions. Part of the answer lies in escalating investments in incident response (IR) planning and testing, staff training, and technologies for detecting and responding to threats. The report by Ponemon/IBM also identified these activities as the most efficient ways of reducing the cost impact of an attack, complemented by implementing a DevSecOps approach. 

To maximize the efficiency of these investments, it's crucial for healthcare organizations to scrutinize the pivotal role that cybersecurity assessors have in pinpointing and alleviating potential vulnerabilities. 

The Evolving Role of the Security Assessor 

A security assessor, an integral part of the cybersecurity team, meticulously examines the security measures put in place within an information system. Employing a repertoire of assessment and testing methodologies, an assessor gauges the efficacy of administrative, operational, and technical security safeguards. Their primary responsibilities include detecting vulnerabilities, proposing remedial measures, and safeguarding system integrity by pinpointing and mitigating potential paths of exploitation.  

Additional responsibilities of the security assessor encompass the following: 

• Creating strategies for tracking and evaluating risk, compliance, and assurance operations. 
• Constructing specifications to harmonize risk, compliance, and assurance endeavors with security prerequisites. 
• Organizing and executing reviews of security authorization. 
• Assessing interfaces for potential vulnerabilities. 

In addition, a security assessor is also tasked with validating application software, network, and system security implementations. The assessor meticulously documents any deviations from the prescribed security standards, and crucially, proposes appropriate rectifying measures. 

In the current era, the role of a security assessor extends beyond their traditional responsibilities, evolving into that of a guide who appreciates the unique complexities and limitations inherent to an organization, and charts an achievable path towards enhanced cybersecurity. This pragmatic approach strikes a balance between stringent security protocols and the practicality of implementation. Assessors deploy a tailored strategy for each organization, aligning with its specific hurdles, assets, and cybersecurity objectives. Additionally, they assist in evaluating various attestation alternatives. Security assessors guide organizations in pursuing these attestations in a gradual, incremental manner, thus strengthening their cybersecurity over time.  

In the healthcare domain, the significance of the security assessor's role is heightened due to their ability to align assurances with regulatory stipulations such as HIPAA. As the landscape of regulatory requirements continues to shift, security assessors are tasked with staying at the forefront of these changes. They must transcend the boundaries of occasional involvement and adopt the mantle of a persistent catalyst for progress, fostering an environment of perpetual learning and advancement. 

Moreover, as the domain of cybersecurity expands its interdisciplinary reach, the security assessor assumes the mantle of navigating the humanistic and cultural facets of the certification and attestation process and its subsequent repercussions on the organization’s everyday operational realities. In the end, proficient security assessors conduct assessments and actively participate in remediation planning and implementation, steering clear of a mere evaluation-and-depart modus operandi. 

Impact on Attestation 

A security assessor has the potential to significantly influence a healthcare organization's success in attaining attestation by minimizing challenges and resistance. By comprehending the full context and nuances of an organization's cybersecurity stance, a security assessor is better equipped to navigate the organization along the attestation pathway. This results in a reduction of impediments, ultimately facilitating a more streamlined and achievable certification process. 

In the current cybersecurity landscape, the assessor's role extends to significantly boost the chances of attestation success. They achieve this by adopting a mentorship stance and investing time in gaining a deep understanding of each organization's specific context. This focused approach equips assessors to offer actionable and customized guidance, thereby enhancing the organization's prospects of achieving successful attestation. 

The metamorphosed role of the security assessor underscores the importance of cooperation and participation among all interested parties. Serving as a connecting link, assessors can promote improved dialogue and comprehension, ensuring that everyone is synchronized in their objectives and anticipations. This simplifies the procedure, cultivates confidence, and fortifies alliances, which are essential for enduring cybersecurity partnerships. 

Ultimately, a security assessor plays a pivotal role in fostering sustainable progress and substantial expansion in the realm of cybersecurity. 

Conclusion 

By establishing an effective alliance, a healthcare organization can utilize the expertise of a security assessor to critically evaluate and provide guidance for the maturation of their in-house programs. With a strategic orientation, this collaboration can instigate enduring change and promote lasting advancements. 

Choosing Meditology as your cybersecurity partner brings a multitude of benefits. With a deep understanding of the unique challenges faced by healthcare organizations, Meditology can provide tailored cybersecurity solutions that address your specific needs.  

The Meditology team is composed of experts in the field, including security assessors who can identify vulnerabilities and also actively partake in remediation planning and implementation.  

Furthermore, Meditology understands the intricacies of the compliance landscape, particularly HIPAA, enhancing your chances of securing attestations.  

Meditology's approach fosters sustainable progress in cybersecurity while also promoting an environment of continual learning and advancement. Meditology's comprehensive, client-specific solutions make them an ideal choice for healthcare organizations aiming to fortify their cybersecurity framework. 

Contact us

---

ANGELA FITZPATRICK | VICE PRESIDENT OF DELIVERY OPERATIONS

Angela is an experienced Vice President of Delivery Operations who leads the firm’s IT Risk Management services practice. For more than a decade, Angela has managed critical technology, security, and privacy initiatives in a variety of healthcare settings. Angela’s strong track record includes experience developing complete security programs, leading security breach response efforts, and building audit functions. In addition to her security expertise, Angela has on-premises experience as a healthcare clinician and biomedical program manager, providing valuable insight into the operational workings of the healthcare industry.

Resources 

• Why Medical Records are 10 Times More Valuable Than Credit Card Info 
• Cost of a Data Breach Report 2023  
• U.S. HHS OCR Cases Currently Under Investigation