Would you know how to perform a cyber security assessment? Have you had one done? The definition of a cyber security assessment is: A process that analyzes your organization’s cyber security controls and their ability to remediate vulnerabilities. This allows you to gain a high-level analysis of your network’s weaknesses so security teams can begin implementing security controls to mitigate them. So how do you do one? Follow these simple steps.

  1.  Determine what information is valuable. For medical practices, your PHI is most definitely valuable but so is your Quickbooks and personnel files. You want to make sure you evaluate all your data, not just patients data.
  2.  Prioritize – It is good to prioritize what data and assets you want to recover first. This way your plan can include step  by step instructions on how you can continue to see patients and run your practice with as little downtime as possible.
  3.  Identify Threats – Take a good look at your network. Be honest when you look at it. Do you have things in place to test backups, test new applications, etc.? Do you review policies annually, bi-annually? Do you do background checks once a year, or just upon hiring? Take a good look ad see  what you think may be a threat to your network.
  4.  Identify Vulnerabilities – How often do you change wifi passwords? Can anyone sit in your parking lot and jump on your network? Is RDP open?  Does anyone check your firewall logs? Take a good look into your network and see what vulnerabilities you have, and what you need to fix.
  5.  Calculate the Likelihood – Do you live in an area where hurricanes are common and your building could be destroyed? What is the likelihood of a fire, etc.? You need to think about these things.

Perform a Cyber Security Assessment

The reason people don’t do these is one, they are afraid they will get in trouble when they find out their network is wide open, and two, they simply have no idea how to do one of these.  I have a couple of suggestions. You could hire someone like Tier3MD, or you could find some online assessments and start from there. You may not understand all the questions but you may be able to realize you don’t have good backups or you don’t document properly. You can learn a lot from doing a self-assessment. If you want to do a self HIPAA assessment, you can go to the HHS website and there is a very comprehensive tool you can use.

With a little preventive maintenance, you could help yourself avoid a major disaster. Don’t be afraid of what you don’t know. Be afraid of what you DO know, and fix it!