Assessments & Risk Management

Before any entity can improve its cybersecurity posture, there must be a clear understanding of threats and vulnerabilities that put its workforce and patients, processes, and technology at risk. And with legislators and regulators suggesting a near future where baseline standards will be mandated, assessment findings will be crucial for demonstrating cyber resilience.

First Health believes, when done correctly, assessments equip entities with the visibility and intel needed to move beyond regulatory compliance into actionable risk reduction of third-party and enterprise risk. 

Get started

Assessments & Risk Management

Enterprise-Wide Assessment

The complexity of the healthcare environment with its complex supply chain and numerous third-party vendors requires a holistic approach to reduce gaps. The First Health-Censinet partnership joins our deep healthcare expertise and strategic risk advisory services with Censinet RiskOps™ to assess, mitigate, and monitor enterprise-wide risks, supported by a corrective action plan. 

Our Services result in enhanced management of residual risk and gaps, improved efficiency, continuous risk assessments, cost savings, leadership confidence, management of identified gaps and risks, and improved visibility into risk management. 

Our assessors tailor comprehensive assessments to clients’ preferred standard frameworks, including tool implementation, assessment briefing, ongoing risk response support, and access to an assessment tool and reports. Our enterprise-wide solutions include:

  • Enterprise risk assessment for NIST CSF, HICP, CPGs, and HIPAA Privacy & Security Rules 
  • Targeted action plans with remediation assignment & tracking via RiskOps™ platform 
  • Cybersecurity strategy report security risk assessment supplement report 
  • Physical security assessment report on cybersecurity & risk posture, benchmarked against market data 
  • Executive presentation at board meetings & progress meetings for ongoing mitigation
  • Post-assessment check-in and evaluation
  • Dedicated Risk Assessments for Internet-of-Medical Things (IoMT), medical devices, non-technical suppliers, and mergers & acquisitions 

Assessments & Risk Management

Third-Party Risk Assessment

Third-Party Risk in healthcare is an ever-evolving challenge, brought on by the vast number of partnerships required to maintain business operations and clinical care. As part of our enterprise-wide assessment, or as a standalone analysis, our team provides a thorough analysis of third-, fourth, and nth-party risks through the discovery process, leadership interviews, and cross-walked to industry standards. 

Our assessors leverage the Censinet Digital Risk Catalog™ with over 39,000 third-party vendors and products and dedicated risk assessments for vendors, products, biomedical suppliers, and non-technical suppliers to bring visibility into vendor challenges within the client network. Our team utilizes: 

  • Continuous monitoring and documentation review with reports on risk posture and key issues 
  • Breach alerts for vendors in third-party portfolio

Clients receive recommended Corrective Action Plan (CAP) items with remediation assignment & tracking, as well as a numerical residual risk rating based on identified risks and proposed CAP Risk reports with dynamic risk scoring, remediation status, & activity log. 

Assessments & Risk Management

NIST, HIPAA, CPGs, & 405(d) Framework Alignment

Industry frameworks support network defenders by applying prioritized cyber resilient measures, relevant to the healthcare environment. Our assessors work with clients to identify current risk state to select the appropriate framework and assess compliance, as well as identify gaps.

First Health fine tunes assessments specific to the client environment, assets, and controls to determine current state of cyber maturity. The plan takes into consideration policy changes that could impact healthcare, like Cyber Performance Goals (CPGs). 

Our framework alignment assessments include:

  • Identification and review of clients’ security controls and program measures
  • Assessment of gaps and recommendations for addressing findings
  • Our team may determine a visibility tool may be necessary to conduct a vulnerability scan of the network
  • Assessment yields reports that First Health’s executive leaders review with the client in a series of discovery meetings

Our team provides client advisory throughout the engagement, offering recommendations and guidance to help clients make informed, effective decisions on their cybersecurity program and cyber resiliency plans.

Assessments & Risk Management

Privacy & Regulatory Compliance

In healthcare, regulatory and privacy compliance obligations add to the complexity of securing the environment and the policies needed to educate and govern the workforce. With policy makers suggesting mandatory standards will likely be required in healthcare within the next few years, meeting regulatory requirements will become of even greater importance.

First Health is comprised of seasoned regulatory and privacy advisors able to support clients with understanding the privacy and regulatory challenges facing healthcare entities. Our team supports clients with cross-walking regulations to industry requirements and assessing enterprise privacy programs to establish the program posture against regulatory compliance obligations.

Clients receive:

  • An Enterprise Privacy Assessment that uses industry-leading methodology, such as HIPAA and the NIST Privacy Framework to determine the effectiveness of existing organizational, physical, administrative, and technical controls
  • Interviews and coordination with stakeholders and documentation review support analysis and identification of compliance gaps and vulnerabilities
  • Evaluation report that details identified gaps and development of actionable recommendations

Assessments & Risk Management

Incident Response Planning

In today’s threat landscape, it’s imperative healthcare entities review their policies, technology, and processes to identify mission critical functions and determine the ability to recover in the event of an incident. First Health assesses clients’ controls and posture to inform the correct approach to ensuring resilience during a cyber incident, including recovery plans to maintain clinical and business operations.

First Health works with clients to:

  • Review current configurations and interview the security team to validate current tools, controls, policies, and procedures 
  • Assess environment against key risk factors for ransomware prevention, detection, and recovery 
  • Ensure organization has working, fully immutable backup solutions tested for effectiveness 
  • Demonstrate the impact of a cyberattack within the client environment, testing the response plan and providing guidance on where to improve

Clients receive strategic plans tailored to the environment, controls, and workforce, which are tailored to the client environment, controls, policies, and workforce.

Assessments & Risk Management

Microsoft 365 & Cloud Security and Controls

Addressing risks in healthcare requires hands-on experience in the provider environment. First Health understands the risk posed by cloud migration and maintenance and associated challenges and works with clients to review security, controls, and program documentation.

We evaluate client’s MS365 tenant against industry standards and vendor best practices to identify the current state, then provide a risk analysis and roadmap report with recommendations for improving efficiency & security with a detail-oriented action plan to address vulnerabilities.

  • Our team interviews leadership, system administrators, and security workforce to create the risk analysis and roadmap
  • We work with clients on project planning and coordination of key stakeholders to schedule interviews, review the environment, and prepare documentation for evidence gathering
  • Leadership presentation on findings includes:
    • Advisory support on needed remediation and governance
    • Risk decision support for security posture and rollout of controls and MS 365 features
    • A decision and risk report identifying key decisions tied to using features, enabling security controls, and other considerations

Assessments & Risk Management

Asset Criticality Assessment

The average downtime after a cyberattack in healthcare is over four weeks. Failing to assess the criticality of assets used in business and care operations can lead to higher recovery costs, lost revenue, reputational damage, and patient safety risks. First Health advises clients on these challenges, then recommends next steps towards business impact analyses and business continuity plans.

We start with an enterprise risk assessment to establish risk management maturity and compliance alignment across all domains, followed by a criticality analysis that systematically assess the risk that asset failures pose in the event of an outage and a review of current disaster recovery and business continuity plans​.

Our asset criticality assessments effectively identify risks to the healthcare environment. We work with the IT department and stakeholders to:

  • Plan, prioritize, and implement risk-reducing solutions, resulting in a constant cycle for securing network-connected digital assets, providing confidence in compliance alignment 
  • Develop a risk-based, prioritized Business Impact Analysis, including homegrown applications 
  • Provide workshops to educate workforce on how to assess systems to create a more detailed BIA in the future 

Clients report improved availability, reliability, and overall risk management maturity and capability, as well as end-user and vulnerability management, and visibility into device inventory.

Assessments & Risk Management

Network Segmentation & Technical Controls

The complexity and scope of the digital health environment requires network segmentation to protect vulnerable and legacy systems and devices, while reducing the risk of lateral movement and impact in the event of a system breach. These same complexities require understanding into these connections and how to effectively segment the network without disrupting workflows and device function.

First Health is experienced in separating network-connected IT and OT devices into physical and logical segments, or sub-networks, to apply security measures and policies to groups of devices and platforms and isolate highly sensitive devices from the least sensitive devices.

Our leadership remains engaged throughout, supporting clients with effective risk management. Our network segmentation services include:

  • IT engineering resources that identify and assess current network segmentation program
  • IT Security Risk Analyst resources that review and understand the most recent enterprise IT security risk assessment report and findings
  • Evaluation of the potential risks and vulnerabilities associated with the current network segmentation strategy
  • Assessment of the impact of a potential breach or unauthorized access
  • Gap analysis of the current network segmentation program, tools, and network infrastructure to identify shortcomings in the current network segmentation design and highlight areas where improvements are needed to align with industry best practices
  • A roadmap for clients with recommendations to enhance security and maintain operational efficiency and an inventory of network devices and tools assessed during the project

Assessments & Risk Management

XIoT Cybersecurity Program

Effective XIoT security requires leadership experience in the clinical environment to understand patient safety risks and connectivity considerations when applying remediation and patching measures. First Health’s team understands these challenges and supports clients with education and recommended policies, while assessing specific XIoT security needs.

Our assessors take a risk-based approach to assessing the Health Technology Management (HTM) and Clinical Engineering cybersecurity program structure, staff, and systems, including: 

  • HTM and IoMT internal support services 
  • HTM tools and platforms, including but not limited to: CMMS, IoMT Security, RTLS 
  • Services HTM provides to other departments and stakeholders 
  • Staff interviews to evaluate communication, skill sets, and capacity 
  • Governance, structure, policy, and process, resulting in the creation of a Transformation Roadmap to secure the healthcare environment and improve overall risk posture and guidance for achieving long-term cyber initiatives 

Assessments & Risk Management

HTM Operational Program & Compliance

First Health understands the challenges of finding vulnerabilities and endpoints within the clinical environment and how to keep the focus on patient safety when it comes to security. Our experienced leadership works with clients to address these concerns and fill knowledge gaps to begin moving toward cyber resiliency in the clinical setting.

Our comprehensive assessments of current clinical device security program identify programmatic and operational gaps related to connected clinical asset management and clinical engineering cybersecurity requirements. 

First Health conducts a comprehensive assessment of the client’s current clinical device security program to assess: 

  • Governance & Structure (e.g., Silos, Limits of Systems or Architecture, etc.) 
  • Policy & Processes 
  • Technology, Culture, & Communication 
  • Staffing & Skills 
  • Environment & Collaboration 
  • Success Measures (i.e., Metrics and KPIs) 

First Health develops a tailored roadmap to an ideal Future State for the client through interviews, documentation, analysis, and application of First Health’s strategic overlays & playbooks that address accreditation bodies and standards, including NIST, TJC, DNV, ACHC, ITIL, and 405(d) and to align with Environment of Care leading practices. 

Assessments & Risk Management

Email Security Assessment

Given the success of targeted social engineering attacks in the healthcare sector, email security is among the key practices outlined in the 405(d) HICP and one of the essential cyber performance goals (CPGs) outlined by HHS. Threat actors increasingly rely on human error to gain a foothold onto networks, which means healthcare entities must prioritize email security to reduce the risk and impact of these attacks.

First Health supports healthcare entities with addressing common vulnerabilities and setting a floor of safeguards to improve cyberattack protections and response times when events inevitably occur.

Our team provides a comprehensive evaluation of clients email platform, policies, and tools to identify gaps and vulnerabilities, culminating in a roadmap with recommendations to improve cyber resilience in the email environment.

Assessments & Risk Management

Custom & Specialty Assessments

Assessments are not all equally effective. First Health believes risk analyses should result in actionable management plans, supported by experienced healthcare IT, business operations, & security leaders. Our custom and specialty assessments are tailored to client needs and include sustained engagement with leadership for effective, continuous risk management.

First Health offers additional assessments tailored to the specific needs of the client, on an as-needed, project, or requested basis, including: 

CYBER INSURANCE

The rise in ransomware and targeted cyberattacks against healthcare has seen increased scrutiny and security requirements from insurance companies to obtain coverage. Our assessors crosswalk clients’ current security policies and technologies to these new insurance requirements to identify gaps and create a tailored roadmap to bring clients’ cyber posture to the maturity needed to secure a policy.

MERGERS & ACQUISITIONS

Our assessors review the security posture, technologies, policies, and governance functions of the intended business purchase to: Identify current and future risks, vulnerabilities, and needed remediation policies; provide client with risk rating and customized roadmap of measures needed to ensure client is not taking on additional risk and vulnerabilities; and assess gaps in prevention and response processes and tailor recommendations for improving cyber resilience.

IDENTITY & ACCESS MANAGEMENT

Our team creates a map of IT and physical systems deemed business critical and/or containing patient data and establishes user groups, roles, and related processes and develop policies for improving IAM, including onboarding and offboarding, identifying gaps and vulnerabilities. Clients receive an overview of overall risk and a roadmap to risk reduction, including measures to limit unacceptable risk, prioritized by criticality and subject areas.