How to Know It's Time for a Security Best Practices Risk Assessment

Stay up to date on our latest blogs and content


By Scott Weaver, CISSP, CSM | Jun 21, 2024

2 minute read Blog| IT Advisory| IT Strategy

A CHIME CIO survey and many others sources show cybersecurity at the top of a long and complicated list of priorities for healthcare technology leaders. Could a smaller scope security risk assessment (SRA) be beneficial? The answer is yes, especially when addressing change or specific concerns:  

For keeping the Board informed. Boards and leadership teams need assurance of the current state of cybersecurity and organizational risk.  A fresh set of expert eyes and a review of the current state should be considered in between more intensive assessments. Read more in our recent blog titled Six Cybersecurity Points Healthcare CIOs Should Explain to Their Boards. 

For budget considerations. Much can be discovered, prioritized, and remediated even from an SRA with a focused scope. An SRA targeting key areas of impact should an exploit occur (such as protection and security of ePHI, access controls around boundary protection devices and other critical pieces of a healthcare IT environment) can yield results that can be leveraged to gain priority for budget planning. 

During change. A completed SRA provides insight to organizational cyber risk. It’s a snapshot in time that identifies where good hygiene is practiced and where security gaps exist. New leadership teams often find value in understanding the current risk profile they are inheriting as leaders. 

To uphold standards. Many organizations partner with a firm to conduct an SRA to gain an objective point of view from a third party. Another set of eyes can build confidence, and the scope of the periodic assessment can be standardized for conducting comparisons in a cybersecurity program’s level of  progress from one assessment period to the next, while helping to manage expectations on remediation resources, timelines to resolve and effective stop-gap mitigations. 

For priority setting. Internal teams are often keenly aware of their potential vulnerabilities and available resources to address them. A focused SRA can assist with cybersecurity project prioritization to gain greater budgetary and leader sponsorship for remediating open findings. Understanding the cybersecurity risk to a healthcare organization’s key IT assets enables leaders to set remediation and mitigation priorities. 

Small and limited scope SRAs: More comprehensive than you think? 

While a full Security Risk Assessment should investigate the below areas and more, the value of an assessment focused on top concerns and changes to your technology ecosystem should not be underestimated. Focusing on one application change or area of concern can help identify issues that could potentially impact another area of the technology stack or could introduce risk.  

A limited scope SRA provides all the findings and considerations for your team to chart your organization’s path towards a future focused on cybersecurity best practices and behaviors. Involve consultants who advise with broad experience and topnotch credentials, or work from the findings to evaluate and shape the policies and processes for your organization related to: 

  • Governance 
  • Remote access 
  • Email security 
  • Vulnerability patching 
  • Endpoint protection  
  • Cybersecurity  
  • Incident response 
  • Backup and recovery  
  • Sensitive and critical data protection  
  • Medical device and IT supply chain  

Your next SRA 

Is a limited scope or full-scale SRA the best next step for your organization? That depends on your organization’s pace of change and confidence level in your current cybersecurity posture. A limited scope SRA may be a great way to begin working with an expert or team of experts that you can build a trusted partnership with. 

For more information: 

About the Author:
Scott Weaver, CISSP, CSM

Certified Ransomware Specialist, CereCore

Put Us to Work

Let us know how we can support your initiatives and take some of the heavy lifting from healthcare IT.