Published on November 16, 2017
You may have heard about the recent discovery of the new web vulnerability KRACK and wondered if it’s something your business needs to worry about.
Risk assessment is one of the most important things you can do to ensure the security of your business, and for some healthcare businesses, it’s required by the Health Insurance Portability and Accountability Act (HIPAA). For an in-depth look at how to conduct a thorough risk assessment, see our recent post on the topic.
Risk assessment might sound intimidating, but in most cases, it’s a straight-forward process. As an example, in today’s post, we give you the basic steps of conducting an assessment in response to the security threat presented by KRACK.
The first step is to take an inventory of your assets. Assets are those resources that, if damaged or exposed, could lead to negative consequences for your business. For example, if you’re securing your business primarily against KRACK, you would only list digitized assets since they are the only ones that would be affected. As an example, your assets might include customer records or protected health information (ePHI), client or patient emails, and billing records.
The next step is to envision the impacts, or negative effects, to your business if any of these assets are compromised. How would your business be affected if a cyberattacker stole your data? Would your reputation be damaged? Would you lose revenue? For instance, the impact of a KRACK attack on any of the assets listed above would likely be substantial damage to your business. In the case of a healthcare organization, you would be required to self-report to HIPAA.
A threat could be anything that negatively affects the assets you use to run your business. In this case, the threat presented by KRACK is a cyberattack that results in damaged, stolen, or otherwise compromised data.
Now that you know the impacts a security breach could have on your business and you’ve identified the threats, you can go through the steps to safeguard against risk with clear purpose. When you safeguard against risk, it’s important to consider all the ways disaster could strike.
In this example, consider how you might safeguard against the KRACK threat. If you’re not particularly tech savvy, learning that HTTPS websites are safe might not ease your mind. You want to know for certain that your data is safe. The best thing to do is to contact the services you use, such as your practice management software, and confirm. Simply ask the following question: “I’ve heard that I’m protected from KRACK if I use HTTPS. Can you confirm that your service is protected?”
The service will most likely confirm that they’re protected, but if they don’t, you should consider other options for managing your data until a patch is available.
This is one example of what you might do to safeguard your business against this particular cyberattack. However, all businesses are different, and it’s important to go through the steps as they apply to your particular organization.
Risk assessment is a simple, straightforward process that can be conducted quickly in response to sudden security risks such as KRACK. Simply identify your assets, figure out the impacts on your business, identify the threats, then safeguard against the risks one by one.
After conducting a risk assessment, be sure to file your notes away so they are available in case of a future audit.
The appearance of web vulnerabilities is unsettling for everyone, especially for businesses handling sensitive information. When such a vulnerability appears in the news, conducting an immediate risk assessment will ensure your data remains safe, your business secure, and your peace of mind intact.
Numerous tools are available to help you through the process of conducting a thorough risk assessment. We’ve listed two here, but you may find others that are better suited to your business.
The HIPAA Security Risk Assessment (SRA) Tool is a free tool that was developed to assist small and medium-sized healthcare practices and business associates in complying with the HIPAA Security Rule.
Abyde is a cloud-based subscription service that provides a number of HIPAA compliance tools, including one for risk assessment. Pricing varies depending on the size of your business.
The HIPAA E-Tool is a software program provided in the cloud to help office managers, practitioners, and business associates assess risk and then work toward compliance. If a breach occurs, The HIPAA E-Tool guides administrators through a step-by-step process back to business as usual.