Steve Cagle, CEO of Clearwater, explains how healthcare providers can build effective cyber risk management strategies when working with third parties and other business associates. 

Steve Cagle wants healthcare companies to understand that new technology is important, but it also creates new types of risk. 

As CEO of Clearwater, Cagle has seen companies move quickly to adopt new innovations in the midst of COVID-19. While he believes that’s a positive thing, he also worries that companies aren’t adopting enough cybersecurity measures to accompany the changes. 

In this episode of HIT Focus, brought to you by Tennessee HIMSS, Cagle talks with host Clark Buckner about the importance of developing a comprehensive risk management strategy, especially when working with new business associates or other third parties. 

The Transformational Effect of COVID-19 

As telehealth services have increased to meet the demands of a COVID-19 world, healthcare organizations have also needed to implement new technology, partnerships and data sharing solutions.

“The biggest that we’ve seen that’s really, in many ways, done a lot of good things for the industry has been the accelerated level of adoption,” Cagle shared. “Which traditionally has been a really big challenge for the healthcare industry.” 

However, this has also led to gaps in cybersecurity, and the number of cyber attacks on healthcare companies more than doubled in 2020. Moreover, 60% of those breaches were associated with a third party or other business associate, suggesting that many organizations lack a risk management plan that accounts for outside partnerships.

“We’re sharing more information, and more of this information and data is now outside the control of the healthcare organization, and that has implications because it means we’ve got to think about how we’re managing risk in a different way,” Cagle explained. “[It’s] a much more mature way of ensuring that security is well-embedded from a process perspective and from a people perspective in the organization.” 

How to Build a Comprehensive Risk Strategy

In spite of these new risks, Cagle believes that healthcare companies can rise to the challenge and better protect their information by going through a comprehensive risk analysis process to help inform their larger strategies.

“Security has to be embedded throughout the entire organization. We have to think about who we’re providing access to and how we’re controlling that access,” Cagle explained. “One of the largest issues that we see is that many organizations are really spot welding and they just don’t have a comprehensive strategy and methodology that they’re implementing.”

Companies who work with third parties will also need to make sure that those other organizations are secure and doing everything possible to mitigate risk. 

“We want to evaluate their security processes and practices. We want to make sure, perhaps that third parties are evaluating the risks that those organizations have, not just the technical controls, but the administrative controls and the physical controls,” he detailed. 

To start, Cagle encouraged organizations to go through a comprehensive risk analysis, answering three key questions. First, what risks are relevant to that organization? Second, what are the appropriate controls to mitigate those risks? And third, how much value does a vendor bring to the organization compared to the amount of data they have and the risk that creates? 

The Importance of a Customized Strategy

Since every organization has different levels of risk and also different levels of risk tolerance, it’s important to base your strategy directly on the risk analysis process, rather than trying to implement processes that aren’t tailored to the company. 

For that reason, Clearwater works directly with its clients to develop their risk management strategies and equip the clients’ employees to continue the work into the future.

“That’s the risk analysis and risk management process, and I think getting good at that, having that distilled from the top down and empowering the security and risk management teams to do their job is something that can make a huge impact, because it will allow organizations to continue to respond to those changes, both in their environment and externally,” he explained. 

If companies take the time and effort to go through that process, Cagle believes they’ll be able to protect their information and continue innovating to improve their quality of care.

“There’s been a tremendous amount of improvement, especially considering the lack of resources and all the other distractions that we’ve had and the rapid amount of change, I think the industry has been doing a fairly good job.”

To learn more about Steve Cagle and how Clearwater can help your company stay secure, visit clearwatercompliance.com and sign up for the newsletter.