Assurance

Assure your strategy is sound and able to manage threats across your digital health agenda, while reducing business impact to the enterprise. Risk-centric talent with deep knowledge of digital health, clinical impact, and operational workflow, serving healthcare with executive-level acumen, enterprise risk management, and platform expertise.

Cyber Risk Assurance

HICP 405(d) & NIST CSF Assessment

Assess healthcare organizations’ ability to accelerate a prescriptive, targeted approach to the five biggest risks in healthcare, the 10 leading HICP practices, and 23 control surfaces to maximize investments in security capability and maturity. First Health advisors are experts on HICP 405(d) practices and benefits, with a keen focus on aligning current cyber policies and practices with HICP’s 10 prioritized practices: This includes MFA adoption, Endpoint Protection & Monitoring, Email Defense, and Tested Backups.

Accelerate cyber threat action and capability targeting:

The BIG 5:

  • Social Engineering
  • Ransomware Attacks
  • Loss/Theft of Data or Equipment
  • Insider, Accidental, or Intentional Data Loss
  • Medical Device Cyberattacks

The Top 10 Security Risks Reduction Program:

  • Email and Endpoint Protection Systems
  • Identity & Access Management
  • Data Protection/Loss Prevention
  • IT Asset Management (ITAM)
  • Network Management & Security
  • Vulnerability Management
  • Security Operations Center (SOC) & Incident Response
  • Network Connected Medical Device Security
  • Cybersecurity Oversight & Governance

Map findings and requirements to the 23 control surfaces that result in the biggest impact to risk profile.

Cyber Risk Assurance

Enterprise Risk & Business Impact Analysis/Assurance

Healthcare is under constant threat of cyberattacks from all directions and can’t rely on a single point-in-time snapshot measurement of security risks to the organization’s digital assets. The ever-evolving security threat landscape means that each organization must enable a continuous security program that actively identifies and reduces risks to the expansive network-connected asset realm.

First Health’s continuous Enterprise Risk & Business Impact Analysis/Assurance services efficiently and effectively identifies security risks to your healthcare organization, while working with your IT department to plan, prioritize, and implement risk-reducing solutions, which result in a constant cycle for securing network-connected digital assets.

  • Improve security, privacy, and overall risk management maturity and capability, gaining confidence in compliance alignment
  • Network and Remote Access, Server Management, End-User, Vulnerability Management, Data Management, Third-Party and Supply Chain Risk, Medical Device, and Email Protection
  • Incident Response, Business Impact Analysis, Legal/Compliance, Facilities, and major platform risk (EHR, ERP)
  • Governance, Risk Analysis, Personnel Evaluation and Roles, and leadership Reporting

Cyber Risk Assurance

Third-Party Risk Management

Help healthcare entities manage vendor security risks by providing a tool to monitor and manage vendor security risk assessments for all of the organization’s business and supply chain product and service partners.

  • Assessment: Review current third-party (vendor/supply chain) risk processes, develop recommendations, and craft a plan for program capability and maturity
  • Identify and prioritize critical vendors based on potential enterprise impact
  • Assess enterprise risk tied to third party interaction or relationship
  • Program support requirements: Determine ongoing technology, personnel, and policy requirements
  • Continuous monitoring capability
  • Explore efficiency of assessment and automation
  • Scalable managed services enablement based on key findings and requirements
  • Risk education for key stakeholders

Cyber Risk Assurance

Ransomware Prevention, Recovery, Resiliency Assessment

Address prevalent and highly publicized types of security incidents, and identify the most critical gaps/risks and mitigation recommendations.

  • Assess environment against key risk factors for ransomware prevention, detection, and recovery
  • Ensure organization has working, fully immutable backup solutions and tested for effectiveness
  • Align organization and risk plans with focus on biggest threat vectors and ability to quickly recover
  • Ensure the organization implemented and tested incident response plans and ransomware playbooks
  • Complete analysis and remediation recommendations

Cyber Risk Assurance

IoMT/OT Cybersecurity Program Assessment

NIST-based approach to OT and Internet of Medical Things (IoMT) risk, assessing Clinical Engineering and HTM (Health Technology Management) cybersecurity program structure, staff, and systems; resulting in a Transformation Roadmap.

  • Deliver foundational program guidance, strategy, implementation, and management services
  • Understand how to optimize the tools and policies needed or in use by the organization to reduce cybersecurity and patient safety risk
  • Identify gaps in OT and IoMT programs and define necessary collaboration of key stakeholders in IT, network, clinical, and operations
  • Assess internal talent, while defining key subject matter expertise needed to maintain capability and maturity
  • Review cyber framework compliance and map HTM/CE requirements to security requirements

Cyber Risk Assurance

Incident Response Program Assessment

Evaluate incident response program to ensure provider organization is prepared to quickly respond to cyber-related downtime in an organization way, including extended periods of paper processes, addressing critical systems, and coordination with the IT team.

  • Provide incident program support from planning, implementation, and response, including recovery tactics, communication, and reporting execution
  • Review policies, procedures, process, testing ability, and integration, as well as playbooks, contractual obligations, and service level objectives/agreements to develop structured approach to detecting, resolving, and restoring the damage sustained after an incident
  • Identify and specify the roles and responsibilities of the incident response team in the event of a cyberattack
  • Develop tabletop design and coordination
  • Assess technology response, automation and alert tuning, along with threat sharing and plan for manufacturer communications

Cyber Risk Assurance

Merger & Acquisition Risk

Assess current security posture of target organization to enable the purchasing organization to identify security risks and plan remediations post-purchase, while providing specialized insights into processes infrequently used by the organization and not maintained in-house.

  • Assess overall risk of M&A target using enterprise risk assessment methodology and frameworks
  • Provide HIPAA, NIST, CMMC, and other framework alignment reports
  • Detailed guidance and risk stratification to assist organization in making risk decisions during acquisitions
  • Outline key administrative, physical, and technical control gaps
  • Prioritization and risk guidance for a detailed post-acquisition risk mitigation plan

Cyber Risk Assurance

Cyber Insurance Advisory

Cyber insurance policies have become more difficult to obtain, while rates are higher, and the premiums are inadequate for the risks assumed. First Health knows what carriers are asking of potential signees and what’s needed to do to prepare for policy renewals. Our policy experts work with your team to position your organization for the best outcomes and coverage based on your requirements.

  • Expert CISOs and security leaders with extensive experience with cyber renewals support client organizations with cyber insurance requirements and renewals
  • Insights into formulating response to carriers’ cybersecurity questions
  • Provides guidance on the must-have cybersecurity capabilities needed to obtain policies
  • Experienced team leaders, up-to-date on latest insurance market changes and requirements
  • Support on developing a roadmap and enterprise alignment to ensure success with insurance renewals and applications, including support with long- and short-term strategies