Making Cyber Risk Management an Ongoing Process

Making Cyber Risk Management an Ongoing Process

The HIPAA Security Rule1, as well as the National Institute of Standards and Technology (NIST) and other standards, stipulate that a risk analysis and risk management process should be ongoing, and not performed at a single point in time. However, many healthcare organizations treat risk analysis as a once and done process. The Office for Civil Rights’ (OCR) “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule2” is based on NIST SP 800-30 Guide for Conducting Risk Assessments3 and further emphasizes the requirement for continuous, ongoing Cyber Risk Management.

When systems, technology, or processes change, an organization’s risk posture becomes obsolete, leaving the possibility that current controls no longer adequately address significant risk. In order for a healthcare organization to update and document its security posture appropriately, it should be conducting risk analysis as a part of its ongoing operational security program.

Adding New Systems to the IT Environment

A best practice risk analysis and risk management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. For example, if an organization is planning to incorporate new technology to make operations more efficient, the potential risk should be analyzed to ensure that all healthcare data, systems and devices are reasonably and appropriately protected.

An Enterprise Cyber Risk Management Software (ECRMS) platform, such as Clearwater’s IRM|Pro®, provides a mechanism to efficiently perform a risk analysis before the new technology is brought online. This is consistent with NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations | A System Life Cycle Approach for Security and Privacy,” which aligns the risk analysis and risk management process with the system development life cycle 4.

The ECRMS will identify the risk scenarios and required controls to mitigate risks appropriately and enable “authorization to operate” and “authorization to use” decisions to be made when risk ratings fall within the organization’s risk appetite. As a result, the organization can factor the cost and effort to implement these controls into its budget and project plan, while also meeting required regulations and OCR’s expectations.

Changing Use or Scale of Systems

An ECRMS enables an organization that materially changes the use of a system to seamlessly reassess risk in accordance with any additional impact that may be relevant to the change in scope. For example, consider a workstation that may have been previously risk-analyzed for use in one department, with access to only hundreds of patient records, that is now integrated into the EHR system, providing access to tens of thousands of patient records. This device should be risk-analyzed again to consider whether there is an increase in risk as a result of the additional harm that could be caused.

Adapting to New Threats and Vulnerabilities

In addition to changes in technology, organizations must consider new threats and vulnerabilities as they are discovered. The risk landscape is changing on a daily basis5 as new threats and vulnerabilities are determined to be reasonably anticipated to certain environments. A key benefit of IRM|Pro is that it provides periodic updates to its algorithm so the organization can assess (1) whether the current controls continue to be appropriate, (2) if the current controls provide the same level of risk reduction, (3) if any additional controls are appropriate and the extent to which they are in place, and (4) the resulting risk rating based on all of the above.

An ECRMS platform provides the capability of managing cyber risk as an on-going process, rather than at a point-in-time. As a result, the healthcare organization can be confident that its risk posture is up-to-date and accurate. Any new high risks are identified and therefore can be treated by the healthcare organization.


1. U.S. Dep’t of Health and Human Servs., The Security Rule. Accessed September 1, 2019. Available at https://www.hhs.gov/hipaa/for-professionals/security/index.html
2. U.S. Dep’t of Health and Human Servs., Final Guidance on Risk Analysis, available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index.html (accessed Apr. 25, 2018).
3. National Institute of Standards and Technology (NIST), Guide for Conducting Risk Assessments, SP 800-30, Rev. 1 (Sept. 2012), available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.
4. NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations | A System Life Cycle Approach for Security and Privacy. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
5. https://www.symantec.com/security-center/threat-report

Avatar
Posted in
Avatar
Jon Stone
Jon has a unique breadth of experience with a combined 25 years’ experience in healthcare, working in the provider, payer and healthcare quality improvement fields. For the last 15 years Jon has provided strategic leadership for compliance and healthcare technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix. He is Clearwater’s VP of Product Innovation, and helps provide HIPAA Security and Privacy SaaS (Software as a Service) for the healthcare industry.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

OCR-Quality Risk Analysis®

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro® platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons