Knowing When to Review Your Security: Supplemental Security Assessments in Healthcare

Healthcare security programs must be as dynamic as the healthcare operating environments they protect. As conditions change, security measures that were adequate yesterday may no longer suffice. The annual comprehensive security risk assessments required by various laws, regulations, and compliance bodies are essential components of a healthcare security program. However, leading and lagging indicators can arise anytime, signaling that a supplemental security review is appropriate or urgently needed. This article explores the key signals to watch for to keep your security program in alignment with your ever-evolving care environment.  

Healthcare Security Risk Assessments

Numerous compliance agencies require security assessments in a healthcare context: The Joint Commission, the Centers for Medicare and Medicaid Services, HIPAA, OSHA, the National Center for Missing and Exploited Children, and even the National Fire Protection Association all have either implicit or explicit demands for periodic security risk assessments in the facilities they oversee. Healthcare organizations often meet (or strive to meet) these compliance requirements by conducting a single comprehensive annual assessment aimed at fulfilling all the minimum regulatory standards. A standard risk assessment of this kind involves reviewing recent incidents and conducting a checklist examination of the presence and effectiveness of security practices, physical controls, and technical systems. When executed properly and rigorously, these assessments can form the foundation for a risk-informed security management program. Unfortunately, these assessments are sometimes merely compliance-driven, “check-the-box” exercises.

It is not unusual for these assessments to sit in a binder on a shelf, waiting for an inspector to happen by or for the calendar to turn back to assessment season. This article advocates for a continuous and event-driven risk management program that includes ongoing monitoring of key indicators to identify emerging and urgent vulnerabilities in real time instead of relying on an annual risk assessment process.  

Key Indicators That Signal “It’s Time for a Security Review”

The most common reason healthcare organizations conduct an off-cycle, comprehensive security assessment is that something terrible has occurred. Significant acts of violence or an elopement resulting in death are examples of sentinel events that often trigger an after-the-fact review of the security program. Often, in these scenarios, healthcare leaders hire special consultants to conduct these reviews due to the desire for fresh perspectives or possibly even a lack of trust in their on-site security team. Reacting to these incidents is an unfortunate reality of the healthcare security discipline. However, it is also possible to proactively identify the need for a security review and perhaps prevent such a catastrophic event from ever occurring. The best leading indicators that a security review may be necessary revolve around Change. Any alteration in the environment should prompt leaders to consider whether their existing Risk Assessment is still adequate. Examples of changes that might necessitate a fresh security assessment include:

1. Changes in the Surrounding Environment: Track external risk factors and foster strong relationships with local law enforcement agencies. An increase in local crime, the opening of a new bar across the street, and a decrease in local law enforcement patrols are all examples of changes in the external environment that can impact a healthcare security setting and require the addition or modification of security measures.

2. Increase in Security Incidents or “Close Calls”: One of the clearest signs is a trend of more frequent security incidents or close calls. Even if these incidents haven’t caused major damage yet, an increase in near misses (such as unauthorized personnel found in restricted zones) should not be overlooked. Seemingly harmless events can indicate that threat levels are rising or that controls are weakening—regardless, an assessment is necessary to adjust and strengthen defenses.

3. Organizational Changes and Growth: Healthcare organizations are dynamic. Opening a new facility, expanding service lines, merging with another entity, or experiencing significant increases in patient volume can all introduce new security challenges. When such growth or change occurs, a comprehensive security assessment should be included in the project plan, not treated as an afterthought. It’s far easier to integrate security at the time of change than to retrofit it after an incident reveals a weakness.

4. High Turnover or Leadership Changes: People are the backbone of any security program, and turnover can greatly impact its effectiveness. High turnover in the security department or IT security team is especially concerning—new staff may not be fully familiar with the organization’s particulars, and empty positions could lead to essential tasks like monitoring or maintenance being neglected. Moreover, turnover among general staff can influence the overall security culture and awareness. Conducting a security assessment when a new leadership team arrives can provide them with a clear understanding of the current status. It also acts as an objective basis for informing their strategic decisions. For instance, a new CIO may initiate a comprehensive cybersecurity audit early in their tenure to identify necessary investments.

5. Regulatory or Compliance Developments: The external regulatory environment for healthcare security is dynamic. Governments and accrediting bodies frequently update requirements in response to emerging threats. For instance, there are ongoing efforts to revise the HIPAA Security Rule to address modern cyber risks.  Regulatory changes often come with a lead time; wise organizations conduct a gap analysis well in advance of deadlines. This not only ensures compliance but also enhances actual security. In some instances, failing to meet new requirements can result in penalties or loss of accreditation—therefore, boards should proactively ask, “Are we prepared for the new rules?”

6. Technology Changes or Cyber Alerts: The technological landscape in healthcare is continually evolving—perhaps you’ve migrated more data to the cloud, allowed clinicians to use personal devices (BYOD), or implemented Internet of Things (IoT) devices for patient monitoring. Each technological change can introduce new vulnerabilities. Additionally, the healthcare sector receives threat intelligence from agencies like HHS or CISA regarding active threats (for example, alerts about new ransomware targeting hospitals). If a credible threat advisory indicates a high risk to hospitals of a certain size or using specific systems, it’s wise to conduct an immediate targeted assessment. This may involve reviewing all remote access points upon learning of attacks via VPNs, or auditing user account practices after discovering a surge of phishing attacks that exploit weak passwords. Quick “spot-check” assessments focused on the specific threat can help determine if your hospital is similarly vulnerable. It’s far better to detect and address a weakness because a peer hospital was compromised than to wait until you become the next victim.

7. Insurance and Risk Financing Triggers: Cyber liability and property insurers are increasingly requesting their healthcare clients provide proof of sound security measures. If your insurance renewal process leads to challenging questions or an insurer’s evaluation of your controls, take that feedback seriously. Sometimes, insurers may require an assessment or penetration test as a condition for coverage. Additionally, if your organization aims to reduce malpractice or liability exposure, showcasing a strong security environment—especially regarding patient data—can be advantageous. If insurance rates increase due to a recent incident, this serves as an economic signal to reevaluate and enhance security in order to potentially improve insurability.

Maintaining Proactive Posture

Proactive risk management involves continuously monitoring for change. Healthcare leaders should collaborate with security experts to integrate security metrics into their dashboards, which act as early warning systems. For instance, monitor off-hours badge swipes. If anomalies are identified, don’t hesitate – initiate an inquiry or mini-assessment immediately.

Another proactive practice is periodic “tabletop” reviews. Even without full assessments, gather stakeholders to discuss “what if” scenarios. For instance, what if we experienced a power failure and our access control system went offline—are we secure? What if a disgruntled employee attempted to retaliate—would we catch warning signs? These conversations often reveal areas to strengthen and can be conducted between formal assessments.

Healthcare organizations that incorporate security into their enterprise risk management (ERM) cycles tend to identify triggers early. ERM committees typically review all types of risks on a quarterly basis. Including security, with input from security officers and CISOs, in this process ensures that trends can be identified and mitigation plans, such as scheduling an assessment, are initiated with oversight.

Looking Ahead

Understanding your environment and noticing changes as they occur is crucial for security assessments in healthcare. By identifying key change indicators – from internal factors like employee turnover and spikes in incidents to external forces like new regulations – healthcare leaders can ensure their security programs are constantly adjusted to tackle current challenges. The cost of inaction or delayed response can be seen in breaches, safety incidents, regulatory fines, and damage to reputation. On the other hand, a timely security review, if well-executed and followed through, can enhance an organization’s defenses and show a commitment to safety to all stakeholders.

Hospital executives and security teams should foster a sense of security situational awareness: continually asking, “What’s changed in our environment, and do we need to reassess our security because of it?” By integrating that question into the governance and operations framework, healthcare organizations can remain proactive against threats and uphold the trust and safety that patients and staff deserve.

‍