Wipfli logo
Healthcare Perspectives

Healthcare Perspectives


4 Budget-Conscious Health Care Security Tools

Mar 03, 2019
By: Paul J. Johnson

Over the last decade, the health care industry has embraced technology at a rapid pace. From electronic medical records (EMRs) to telehealth to patient relationship management systems, every aspect of a health care organization has seemingly been digitized.

While these developments are both exciting and impactful regarding quality of care, it’s also made the industry more vulnerable to cybersecurity threats. And hackers are taking advantage.

As of August 2018, more than 6.1 million individuals had already been affected by 228 health care data breaches, with 70% of those breaches involving data stored by health care providers. Hackers will go the extra mile to obtain patients’ health information since individual health data is worth 10 times more than credit information on the black market.

With this added motivation from criminals, health care organizations are especially vulnerable, considering the financial restrictions many of them face, in addition to being slower to adopt modern cybersecurity measures and protocols. A study conducted by HIMSS Analytics and Symantec revealed that 75% of health care provider organizations are spending 6% or less of their IT budgets on cybersecurity.

For those organizations looking to improve their data security, it may seem like an expensive endeavor, but fortunately, there are several lower cost options that many organizations can implement quickly to fortify their cybersecurity safeguards.


The Health Insurance Portability and Accountability Act Collaborative of Wisconsin (HIPAA COW) is a non-profit organization open to entities considered to be Covered Entities, Business Associations and/or Trading Partners under HIPAA.

HIPAA COW exists to foster public education about HIPAA as well as facilitate and streamline HIPAA implementation through identification of best practices. By leveraging shared resources and templates, organizations are able to put in various policies regarding security and privacy.

Organizations can also take advantage of the various resources on the HIPAA COW website, including a risk assessment tool. Continually updated, the HIPAA COW Risk Analysis & Risk Management Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan.

The toolkit, as well as other valuable resources, are completely free and a great way for health care organizations to take the information provided and make it their own in their respective security evaluations.


KnowBe4 provides security awareness training to help health care organizations manage IT security problems, including social engineering, spear phishing and ransomware attacks — the most common cybersecurity threats in the health care industry.

The training company offers a variety of free tools, as well as more comprehensive options that do require payment. However, from a phishing security test to a password exposure test, there are plenty of free tools that any organization could use to get started with in their initial cybersecurity efforts.

The unique aspect of KnowBe4’s training program is that organizations not only are able to train and test employees on their knowledge of health care security, but also can run their own phishing campaigns to see if employees are able to recognize real-world cybersecurity threats.

Security Risk Assessment Tool

A completely free tool from the U.S. government, the Security Risk Assessment (SRA) tool lives on HealthIT.gov.

The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) recently released an updated 3.0 version of the SRA tool. Many organizations can use this to conduct their own risk assessments.

Since it’s a government product, health care providers can be confident in remaining compliant when it comes to the standards set for cybersecurity risk assessments, as well as HIPAA’s administrative, physical and technical safeguards. Additionally, it helps reveal areas where an organization’s protected health information (PHI) could be at risk.

Cyber Risk Scorecard

Through NormShield, any organization is able to complete a rapid risk assessment at no cost. It helps to identify the security posture of third-party vendors and cyber insurance subscribers.

The tool generates an instant cyber risk score in under 60 seconds and evaluates 10 risk categories and more than 250 control items.

There’s also a comprehensive risk assessment available, and while it’s not free, it provides tremendous value to a health care organization, given the knowledge gained regarding identifying external threats and how to solve those issues.

The process is fully automated and includes a non-intrusive scan of both web and dark web presence for any organization.

There’s No Excuse for No Cybersecurity

Every passing year, data breaches become more of a problem for the health care industry. No matter the size or specialty of an organization, each one should make cybersecurity a necessary and important investment in order to protect their patients from having their data stolen.

These four tools are far from a complete list of what’s available, but they provide organizations with cost-effective options for those who are seeking to improve their cybersecurity efforts without breaking the bank. For more information on cybersecurity threats and tools, and what your organization can do to say safe, contact Wipfli, an authorized reseller of KnowBe4 and Normshield.


Paul J. Johnson, CPA
View Profile
Healthcare Perspectives blog
Subscribe to Healthcare Perspectives