Foundational Elements of a Risk-Based Healthcare Security Strategy – Part 1

In a time when healthcare organizations are facing cyberthreats that threaten to expose millions of patient records each year, a risk-based security strategy can help providers take a holistic approach to security, protect data, and prioritize and mitigate risks. Let’s take a look at the foundational elements of that strategy.

Strong Policy


Policy forms the cornerstone of every information security program by setting out the guiding principles for cybersecurity efforts within an organization, formalizing the leadership support for those efforts and providing a justification for actions taken in the name of cybersecurity that might negatively affect other activities of the organization. Policies should spell out the nature of the risk-based approach in an organization adopting a risk-based approach to security, and describe how the organization expects to avoid, mitigate and accept cybersecurity risks.

And cybersecurity policy is not an ambiguous field, it is a well-established field so that healthcare organizations do not need to start writing from a blank slate. Organizations are free to peruse the cybersecurity policies that many government agencies and other organizations publish on the internet, and use them for ideas as they begin to shape their own policies. The SANS Institute offers a free library of policy templates that organizations may use as the basis for their own policy documents. Apart from this, there are cybersecurity frameworks like the security standards published by the National Institute for Standards and Technology or the International Organization for Standardization (ISO), on which the healthcare organizations may also choose to base their policies on. An organization wishing to adopt a standards-based approach to security may benefit from bringing in a third-party consultant to perform a gap analysis of its existing controls, identifying areas where there are significant deviations. This can then be used as the basis for a risk-prioritized approach to applying new controls that mitigate identified gaps.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top