Skip to main content
IT Services & Support

CompuWorks began in 1987 in Pittsfield, MA to help businesses understand how computer systems impacted their workflow. Today we address ever-changing technological challenges while creating a positive business impact. Learn more about our IT services.

Our Services
Industries We Serve

For every industry we work with, we help elevate that organization’s IT readiness. Our IT solutions can be tailored to meet your needs and address sector-specific challenges. Learn more about the industries we serve.

Industries We Serve
About CompuWorks

Since our humble beginnings, CompuWorks has grown into an award-winning Managed IT Services Provider, building a reputation of technical excellence. Learn more about the CompuWorks way of doing business.

About Us
View all posts

5 Security Risk Analysis Myths in Healthcare

Jul 13th, 2022

The COVID-19 pandemic threw multiple challenges at the healthcare industry. The sector saw a steep increase in demand that led to the collapse of health infrastructures in different parts of the world. What’s more, the industry experienced an unprecedented cybercrime surge.

According to a report, the most attacked sector in 2020 was healthcare,1 and experts expect this trend to continue into 2021 and beyond. Increased adoption of a hybrid workforce model and telemedicine have created vulnerabilities threat actors are eager to exploit.

Protected Health Information (PHI) threats are a significant concern for every healthcare-related organization because:

  • Healthcare data breaches cost an average of over $400 per record. The cross-industry average is close to $150 per record.2
  • Over 90% of healthcare organizations reported at least one security incident in the last three years.3

Keep reading to learn how your organization can protect itself against sophisticated ransomware and other threats that affect healthcare data security and compliance.


The Role of NIST CSF and Security Risk Analysis

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a joint initiative by the US government and private sector. It provides a globally applicable policy framework of cybersecurity guidance. This framework outlines how organizations can assess and enhance their capability to block, detect and respond to cyberattacks.

A new federal law sanctioned on January 5, 2021, plans to reward Health Insurance Portability and Accountability Act (HIPAA) covered entities that have implemented NIST CSF. The law takes an enormous burden off by reducing fines and providing audit relief if you prove you have applied the NIST CSF for the past 12 months.

 One of the crucial measures highlighted by HIPAA and NIST CSF to reduce risk is security risk analysis. It helps evaluate the threats/vulnerabilities that affect the privacy, integrity and accessibility of PHI.

There is a lot of misinformation regarding security risk analysis making the rounds. Before discussing that, it is essential to know about a significant threat to the healthcare industry — ransomware.

Know the Expanding Ransomware Threatscape


The following stats prove how severe ransomware threats are:


  • Ransomware cost the healthcare industry over $20 billion in 2020.4
  • The attack vector caused close to 10% of breaches reported in 2021.5


Under the HIPAA privacy rule, a ransomware attack is a notifiable violation even if PHI is just encrypted and not copied or stolen.


With businesses getting smarter by having offline backups to recover their data and operations rather than paying a ransom, cybercriminals are resorting to new ransomware approaches such as:


Double-threat ransomware

Hackers use this approach to encrypt healthcare data and make copies for themselves. The targeted organization then receives a note demanding payment for the decryption keys as well as a warning threatening disclosure of the protected data if the ransom isn’t paid.


Triple-threat ransomware

In this approach, an organization receives a ransom note demanding payment and is threatened with disclosure of protected data, while their patients receive ransom notes demanding payments as well.


Healthcare Security Risk Analysis Myths Debunked


Listed below are five of the most common myths regarding security risk analysis.

Myth #1: It is optional for small providers

Truth: All HIPAA-covered entities must perform a risk analysis. The same applies to providers who want to receive Electronic Health Record (EHR) incentive payments.6

Myth #2: Installing a certified EHR fulfills the Meaningful Use (MU) requirement7

Truth: Performing security risk analysis is a must even if there is a certified EHR. The MU requirement covers all PHI you maintain, not just what is in the EHR.

Myth #3: The EHR vendor takes care of all privacy and security matters

Truth: The EHR vendor may provide information, support and training on the privacy and security matters of the product, but they are not responsible for making the product compliant with privacy/security regulations.

Myth #4: Security risk analysis needs to focus only on the EHR

Truth: You must analyze all electronic devices that handle PHI and not just the EHR.

Myth #5: Risk analysis needs to be conducted just once

Truth: To comply with the regulations, you must constantly ramp up your security posture. This includes conducting regular risk analysis.

If you have read this far, chances are you want to ramp up your security and compliance posture through continual security risk analysis.

If you’re worried about where to start, we can help. It’s usually easier and more effective to collaborate with an experienced partner like us for risk analysis. To get started, contact us now to request a consultation.

 Sources and definitions:

  1. IBM Cost of Data Breach Report
  2. net
  3. US Healthcare Cybersecurity Market 2020 Report
  4. Healthcare Innovation
  5. Verizon DBIR 2021
  6. The EHR Incentive Program gives incentives for healthcare providers who use EHR technology to improve patient care.
  7. The MU requirement highlights the minimum federal standards for EHR.


12 Password Best Practices to Help Keep you Secure

May 16th, 2022

Password protection is the best place to start if you want to ramp up your cybersecurity. Setting a password to secure an entity’s data is called password protection. Only those with passwords can access information or accounts once data is password-protected. However, because of the frequent use of passwords, people tend to overlook their significance…

Continue reading

How can a “Zero Trust” approach help keep your business cybersecure?

Sep 21st, 2022

With the cyberthreat landscape getting more complicated with every passing minute, cybersecurity deserves more attention than ever before. Fully trusting applications, interfaces, networks, devices, traffic and users without authentication is no longer an option. Misjudging and misplacing your trust in a malicious entity can lead to severe breaches that can damage your business. Zero Trust…

Continue reading

Download your FREE copy today!

It can be challenging to find the right IT Service Provider. If you’re new to the world of reliable, outsourced IT services, read through this eBook to learn about all the benefits your business can experience.