Healthcare organizations must regularly assess the security risks in all their applications, not just those containing protected health information, says risk management expert Angel Hoffman.
Far too many healthcare organizations have failed to update older risk assessments, which puts all data at risk, she stresses.
"Cybercriminals find healthcare quite interesting because we're not as secure as we think we are," she says in an interview with Information Security Media Group.
When healthcare organizations conduct thorough risk assessments, they often discover "gaps there weren't even aware of," including those in supply chain systems and financial systems, she notes.
Even smaller organizations struggling with limited resources must assess risks and fill in the most critical gaps in security, she stresses. "Don't just do nothing, because [now] you are vulnerable, and you will be a victim [of cybercrime] eventually," she says.
In the interview (see audio link below photo), Hoffman also discusses:
- Other common mistakes that healthcare entities make in their risk management programs;
- Business associate risk management tips;
- The importance of conducting regular background checks on employees.
Hoffman, senior healthcare practice lead at the security consulting firm Coalfire, has more than 30 years of experience in healthcare. She has served as a chief compliance and ethics officer in addition to multiple other management positions and has developed privacy, security and electronic data interchange programs for several organizations as well as compliance programs for physicians and long-term care facilities. Hoffman also serves as an adviser to several organizations, including the National Learning Health System Governance and Policy Framework Initiative of the Learning Health Community, which is working with the Office of the National Coordinator for Health IT.