New Scaler

5 Security Risk Analysis Myths in the Healthcare Industry - New Scaler

New Scaler

5 Security Risk Analysis Myths in the Healthcare Industry

The COVID-19 pandemic threw multiple challenges at the healthcare industry. The sector saw a steep increase in demand that led to the collapse of health infrastructures in different parts of the world. What’s more, the industry experienced an unprecedented cyber crime surge.


According to an NCSC’s 2021 Annual Review report, the most attacked sector has been the healthcare sector1, and experts expect this trend to continue into the coming years and beyond. Increased adoption of a hybrid workforce model and telemedicine have created vulnerabilities threat actors are eager to exploit.


Protected Health Information (PHI) threats are a significant concern for every healthcare-related organisation because:

  • Healthcare data breaches cost an average of over $400 per record. The cross-industry average is close to $150 per record.2
  • Over 90% of healthcare organisations reported at least one security incident in the last three years3.

Keep reading to learn how your organisation can protect itself against sophisticated ransomware and other threats that affect healthcare data security and compliance.

The Role of NIST, CSF and Security Risk Analysis

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a joint initiative by the US government and private sector. It provides a globally applicable policy framework of cyber security guidance. This framework outlines how organisations can assess and enhance their capability to block, detect and respond to cyber attacks.

A new federal law sanctioned on January 5, 2021, plans to reward Health Insurance Portability and Accountability Act (HIPAA) covered entities that have implemented NIST CSF. The law takes an enormous burden off by reducing fines and providing audit relief if you prove you have applied the NIST CSF for the past 12 months.

One of the crucial measures highlighted by HIPAA and NIST CSF to reduce risk is security risk analysis. It helps evaluate the threats/vulnerabilities that affect the privacy, integrity and accessibility of PHI.

There is a lot of misinformation regarding security risk analysis making the rounds. Before discussing that, it is essential to know about a significant threat to the healthcare industry — ransomware.

Know the Expanding Ransomware Threatscape

The following stats prove how severe ransomware threats are:

  • Ransomware cost the healthcare industry over $20 billion in 2020.4
  • The attack vector caused close to 10% of breaches reported in 2021.5

Under the HIPAA privacy rule, a ransomware attack is a notifiable violation even if PHI is just encrypted and not copied or stolen.

With businesses getting smarter by having offline backups to recover their data and operations rather than paying a ransom, cyber criminals are resorting to new ransomware approaches such as:

Double-threat ransomware

Hackers use this approach to encrypt healthcare data and make copies for themselves. The targeted organisation then receives a note demanding payment for the decryption keys as well as a warning threatening disclosure of the protected data if the ransom is not paid.

Triple-threat ransomware

In this approach, an organisation receives a ransom note demanding payment and is threatened with disclosure of protected data, while their patients receive ransom notes demanding payments as well.

Healthcare Security Risk Analysis Myths Debunked

Listed below are five of the most common myths regarding security risk analysis:

Myth #1: It is optional for small providers

Truth: All HIPAA-covered entities must perform a risk analysis. The same applies to providers who want to receive Electronic Health Record (EHR) incentive payments.6

Myth #2: Installing a certified EHR fulfils the Meaningful Use (MU) requirement7

Truth: Performing security risk analysis is a must even if there is a certified EHR. The MU requirement covers all PHI you maintain, not just what is in the EHR.

Myth #3: The EHR vendor takes care of all privacy and security matters

Truth: The EHR vendor may provide information, support and training on the privacy and security matters of the product, but they are not responsible for making the product compliant with privacy/security regulations.

Myth #4: Security risk analysis needs to focus only on the EHR

Truth: You must analyse all electronic devices that handle PHI and not just the EHR.

Myth #5: Risk analysis needs to be conducted just once

Truth: To comply with the regulations, you must constantly ramp up your security posture. This includes conducting regular risk analysis.


If you have read this far, chances are you want to ramp up your security and compliance posture through continual security risk analysis.

If you’re worried about where to start, we can help. It is usually easier and more effective to collaborate with an experienced partner like us for risk analysis. To get started, contact us now to request a consultation.


Sources and definitions:
  • NCSC –
  • net
  • US Healthcare Cybersecurity Market 2020 Report
  • Healthcare Innovation
  • Verizon DBIR 2021
  • The EHR Incentive Program gives incentives for healthcare providers who use EHR technology to improve patient care.
  • The MU requirement highlights the minimum federal standards for EHR.