Email Iconinfo@coreitx.com
Call Icon+1.888.851.5253

5 Security Risk Analysis Myths in the Healthcare Industry

September 18, 2021

The COVID-19 pandemic threw multiple challenges at the healthcare industry. The sector saw a steep increase in demand that led to the collapse of health infrastructures in different parts of the world. What’s more, the industry experienced an unprecedented cybercrime surge.

According to a report, the most attacked sector in 2020 was healthcare,1 and experts expect this trend to continue into 2021 and beyond. Increased adoption of a hybrid workforce model and telemedicine have created vulnerabilities threat actors are eager to exploit.

Protected Health Information (PHI) threats are a significant concern for every healthcare-related organization because:

  • Healthcare data breaches cost an average of over $400 per record. The cross-industry average is close to $150 per record.2
  • Over 90% of healthcare organizations reported at least one security incident in the last three years.3

Keep reading to learn how your organization can protect itself against sophisticated ransomware and other threats that affect healthcare data security and compliance.

The Role of NIST CSF and Security Risk Analysis

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a joint initiative by the US government and private sector. It provides a globally applicable policy framework of cybersecurity guidance. This framework outlines how organizations can assess and enhance their capability to block, detect and respond to cyberattacks.

A new federal law sanctioned on January 5, 2021, plans to reward Health Insurance Portability and Accountability Act (HIPAA) covered entities that have implemented NIST CSF. The law takes an enormous burden off by reducing fines and providing audit relief if you prove you have applied the NIST CSF for the past 12 months.

One of the crucial measures highlighted by HIPAA and NIST CSF to reduce risk is security risk analysis. It helps evaluate the threats/vulnerabilities that affect the privacy, integrity and accessibility of PHI.

There is a lot of misinformation regarding security risk analysis making the rounds. Before discussing that, it is essential to know about a significant threat to the healthcare industry — ransomware.

Know the Expanding Ransomware Threatscape

The following stats prove how severe ransomware threats are:

  • Ransomware cost the healthcare industry over $20 billion in 2020.4
  • The attack vector caused close to 10% of breaches reported in 2021.5

Under the HIPAA privacy rule, a ransomware attack is a notifiable violation even if PHI is just encrypted and not copied or stolen.

With businesses getting smarter by having offline backups to recover their data and operations rather than paying a ransom, cybercriminals are resorting to new ransomware approaches such as:

Double-threat ransomware

Hackers use this approach to encrypt healthcare data and make copies for themselves. The targeted organization then receives a note demanding payment for the decryption keys as well as a warning threatening disclosure of the protected data if the ransom isn’t paid.

Triple-threat ransomware

In this approach, an organization receives a ransom note demanding payment and is threatened with disclosure of protected data, while their patients receive ransom notes demanding payments as well.

Healthcare Security Risk Analysis Myths Debunked

Listed below are five of the most common myths regarding security risk analysis.

Myth #1: It is optional for small providers

Truth: All HIPAA-covered entities must perform a risk analysis. The same applies to providers who want to receive Electronic Health Record (EHR) incentive payments.6

Myth #2: Installing a certified EHR fulfills the Meaningful Use (MU) requirement7

Truth: Performing security risk analysis is a must even if there is a certified EHR. The MU requirement covers all PHI you maintain, not just what is in the EHR.

Myth #3: The EHR vendor takes care of all privacy and security matters

Truth: The EHR vendor may provide information, support and training on the privacy and security matters of the product, but they are not responsible for making the product compliant with privacy/security regulations.

Myth #4: Security risk analysis needs to focus only on the EHR

Truth: You must analyze all electronic devices that handle PHI and not just the EHR.

Myth #5: Risk analysis needs to be conducted just once

Truth: To comply with the regulations, you must constantly ramp up your security posture. This includes conducting regular risk analysis.

If you have read this far, chances are you want to ramp up your security and compliance posture through continual security risk analysis.

If you’re worried about where to start, we can help. It’s usually easier and more effective to collaborate with an experienced partner like us for risk analysis. To get started, contact us now to request a consultation.

Sources and definitions:
  1. IBM Cost of Data Breach Report
  2. Techjury.net
  3. US Healthcare Cybersecurity Market 2020 Report
  4. Healthcare Innovation
  5. Verizon DBIR 2021
  6. The EHR Incentive Program gives incentives for healthcare providers who use EHR technology to improve patient care.

The MU requirement highlights the minimum federal standards for EHR

Recent Post

November 24, 2025

Holiday Tech Etiquette for Small Businesses (or: How Not To Accidentally Ruin Someone’s Day)

During the holidays, small businesses must maintain proper tech etiquette to avoid frustrating customers who are already stressed with end-of-year activities. Key practices include updating online business hours across all platforms (Google Business Profile, Facebook, Instagram, Yelp, and website banners) with clear, friendly messaging about closures. Setting human-sounding out-of-office email replies helps maintain customer relationships while avoiding oversharing personal details that could create security risks. Testing phone systems ensures voicemail greetings match current hours and provide clear instructions for urgent matters. For businesses that ship products, communicating shipping deadlines early and prominently prevents disappointed customers. These simple tech manners - updating hours, crafting friendly auto-replies, protecting privacy, testing communication systems, and setting clear expectations - demonstrate respect for customers' time and help maintain positive relationships even when the business is closed. Good holiday tech etiquette prevents customer frustration and protects business reputation during the crucial holiday season.
Read More
November 17, 2025

Holiday Scams in Disguise: What To Watch Out for When Donating Online

During the holidays, scammers exploit generosity by creating fake charity campaigns and fraudulent fundraisers. These scams can cost small businesses money and damage their reputation if they unknowingly support fraudulent causes. Red flags include pressure to donate immediately, requests for payment via gift cards or wire transfers, vague information about fund usage, and impersonation of legitimate charities. To protect your business, establish a donation policy with approval thresholds, educate employees about scam tactics, verify charities through official websites, and monitor how donated funds are used. Legitimate charities provide transparent financial information and accept standard payment methods. By implementing these safeguards, businesses can maintain their goodwill while avoiding financial loss and reputational damage from charity scams.
Read More
November 10, 2025

Tech Wins That Actually Made Small Business Life Easier This Year

In 2026, several practical technology tools genuinely improved small business operations. Automatic invoice reminders through platforms like QuickBooks, FreshBooks and Xero reduced payment times from 45 to 28 days, easing cash-flow stress. AI tools such as ChatGPT, Claude, and Microsoft Copilot handled administrative tasks like drafting emails and job descriptions, saving owners valuable time while preserving human decision-making. Simple cybersecurity measures, including multifactor authentication and password managers, enhanced security while streamlining logins. Cloud tools enabled true mobility, allowing business owners to access documents and close deals from anywhere. Communication platforms like Slack and Microsoft Teams reduced email clutter and facilitated quicker team collaboration. These tools succeeded because they solved real daily problems rather than adding complexity, proving that the best tech isn't the flashiest—it's the stuff that quietly saves time, protects businesses, and keeps people happy.
Read More

Location

Location
440 Cobia Dr,Unit 1101,Katy TX 77494 USA
Location
1st Floor, Badheka Chambers 31, Manohardas Street, Fort, Mumbai 400001 INDIA
Location
Office Number – 703, Rajhans Montessa, Surat Dummas Road, Surat 395007 INDIA

Services

Cloud ServicesCloud ConsultingCloud Monitoring & ManagementCloud Integration & Migration
Cyber Hygiene for SMBs
Remote Infrastructure ManagementNetwork ServicesRemote Monitoring and ManagementManaged Security ServicesEmail ServicesBackup & DRaaS
IT Professional ServicesManaged Hosting ServicesIT Audit & GRC ServicesIT Application Development ServicesCybersecurity Services

Solutions

Cloud + Data Center Transformation SolutionsIT Infrastructure SolutionsDigital Operations Solutions pagesCyberSecurity Solutions

Quick Links

Privacy PolicyContact UsCareersBlogsBrochuresInfographicsWhitepapersKnowledge baseMaster Services Agreement (current)
LinkedInFacebookInstagram
© 2025 Core Technologies Services, Inc. All rights reserved.