Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Cyber Security

Cyber, Digital, and Data Security Risk in Healthcare

Cyber, Digital, and Data Security Risk in Healthcare
Written by


Published on

30 Oct 2019

Cyber, Digital, and Data Security Risk in Healthcare


If you’re looking for good reasons to start running cybersecurity and digital risk programs, consider the following:

  • The number of data breaches in healthcare has increased approximately 6 times since 2010
  • By November of 2019, data breaches for the year had already surpassed 40 million affected individuals in over 400 breaches, according to Modern Healthcare.
  • The black market rate for buying a full medical record can go up to $1K per record, vs $110 for a credit card number, and $1 for a social security number, as Experian reports.

Despite these facts, many healthcare organizations are not at a sufficient maturity level in their cyber and digital risk programs. Up until the recent threats of data privacy legislation, there had not been true enforcement or inspection of healthcare compliance from a third-party perspective. Breaches are self-reported to the OCR, mainly driven from the understanding that this is the ‘right thing to do.’ Less because there is an authority hovering over these organizations to ensure they are following the letter of the law.

Did you know only 4.9% of cases reported to HHS’ Office for Civil Rights were investigated? I have worked with clients across industries in risk, compliance, audit, and security management programs throughout my career. Here’s some of the anecdotal evidence from my own, and my esteemed colleagues’, experiences that I will share:

  • Until recently, healthcare providers have been laggards in their security and IT risk management posture in comparison to other regulated industries, such as finance, insurance, and energy.
  • When you compare these industries’ characteristics to healthcare, it’s hard to support the idea that a strong risk and compliance management program are not necessities for healthcare organizations.
  • The table below (left) draws some conclusions as to why.

As a risk professional who has worked with clients in many industries outside of healthcare, I constantly ask my clients:

  1. Why should non-IT healthcare executives care about digital security and cyber risk?
  2. How does this affect patient care and patient outcomes?
  3. What’s the risk and cost associated with that risk, if we don’t invest in gaining a specified level of maturity with our cybersecurity risk programs?

When I ask these questions of healthcare management, I get all kinds of answers. Some inspiring, some encouraging, and some downright scary!

How do you form a compelling argument to give to your board of directors or executives that convinces them they should care, and invest, in their data privacy, cybersecurity and digital risk program?

It starts with education for the CIO, CTO, CEO and/or board of directors to help them understand why they should care, and ultimately why there needs to be an investment made to appropriately respond to their risks. This is much easier said than done for a healthcare provider, who oftentimes can be a part of a non-profit, with less resources and dedicated hours. Understanding the impact of the IT, cyber, digital and/or data privacy risks to their patients, and prospective patients, is key.

That’s where having a meaningful risk management program, and third-party risk program, comes into place. A program that can provide a dashboard for the CIO and board of directors to quickly gain an understanding of the true digital and cyber risks to their organization’s internal and third-party networks. And ideally this understanding is based on the impact to PHI and critical data.

But the ideal risk management program I just described is not the right place to start for most healthcare organizations.

In speaking with numerous CIOs and CISOs about how they have successfully, and unsuccessfully, presented business justification cases to the executive team to capture additional funding, our SureCloud team has assembled a PowerPoint template to jumpstart your preparation. This presentation deck is meant to be your quiver. Choose to pull out the arrows that you think will be the most effective. Remember the old speaker’s adage: know your audience. Does your audience need more education about what healthcare security threats are out there? Do they need to better understand why their current compliance-based program isn’t truly doing risk management? We have slides to address both.

It’s best to manage your expectations. Things may not change after one presentation, overnight, or even after a few presentations or months. Many times, the adoption of risk-based culture is a dramatic cultural shift that involves conversations with many levels of stakeholders, executive buy-in, and a series of incremental wins over years. But we all have to start somewhere, right?