The Hidden Cyber Risks in Virginia’s CSBs – And How to Fix Them

The Growing Cybersecurity Risk for Community Services Boards

Like many organizations, Virginia’s Community Service Boards (CSBs) are going digital—managing client records, processing financial transactions, and coordinating services all online. But with this shift comes an unavoidable reality: cyber threats are never too far behind. While CSBs stay focused on providing behavioral health and developmental services to residents across the state, hackers are looking for ways to exploit security gaps, turning everyday operations into potential ransomware attacks, data breaches, and phishing scams.

To be prepared, Executive Directors should prioritize governance-level oversight and promote a more cyber-aware culture to protect sensitive data, maintain compliance, and secure funding for essential programs. For IT Managers, however, gaining leadership buy-in and access to financial resources to implement stronger controls can often be a challenge, despite knowing cyber risks firsthand. When leadership and IT teams are aligned, CSBs have a better chance of staying attuned to risk and preventing attacks on their organization. Afterall, the cost of not preparing could be high.

We recommend starting with a comprehensive cybersecurity risk assessment to determine if there’s any existing vulnerabilities or direct threats to your organization.

• Internal IT Systems: Scan networks, workstations, data storage, email servers, and security controls to identify any potential weaknesses.
• Compliance: Ensure compliance with Health Insurance Portability and Accountability Act (HIPAA) and Virginia state security regulations.
• Investment: Allocate resources to address real-world risks to your organization.
• Action Plan: Develop a step-by-step plan to strengthen data protection and IT controls.

The Role of Regulatory Compliance in Cybersecurity

While reducing risk starts with strong internal controls, compliance takes it a step further. CSBs are required to meet strict regulatory requirements to protect sensitive client information. In accordance with HIPPA and Virginia’s security mandates, CSBs must take steps to implement and document cybersecurity controls to safeguard protected health information (PHI) and electronic PHI (ePHI).

Understanding HIPAA Security Requirements for CSBs

Because handling sensitive client information comes with serious responsibility, CSBs are classified as HIPAA Covered Entities and must comply with the following HIPAA Security Rules.

• Administrative Safeguards: Implement best practices to assess risk, train staff, and determine security protocols.
• Technical Safeguards: Establish access controls, encryption, and audit logging to prevent unauthorized access to ePHI.
• Physical Safeguards: Secure physical IT infrastructure, servers, and facility access.
• Incident Response & Breach Notification: Employ policies to detect, respond to, and report cybersecurity incidents affecting PHI.

What happens if you break HIPAA Rules? Failure to comply with HIPAA security regulations can lead to significant financial penalties, legal action, and reputational harm. Regulatory enforcement agencies, including the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR), have imposed substantial fines on organizations that fail to safeguard PHI and ePHI. Beyond monetary penalties, non-compliance can also lead to civil liability, potential criminal charges in cases of willful neglect, and increased regulatory scrutiny. Even more, a cybersecurity breach could damage your public trust, disrupt your essential mental health and community services, and lead to long-term financial and operational setbacks.

Virginia State Security Mandates for CSBs

HIPAA compliance is just one part of the equation. CSBs must also comply with Virginia’s regulations, which add another layer of protection and oversight, including:

• VITA Security Standards: Virginia’s Information Technologies Agency (VITA) has established the Information Security Standard (SEC530), which provides a state-wide cybersecurity framework that includes risk assessments, security controls, and incident response planning to protect IT infrastructure.
• Data Breach Notification Laws: If a data breach exposes sensitive client data, Virginia Code § 18.2-186.6 requires any entity that owns or licenses computerized data containing personal information must disclose any breach and notify affected individuals and the Attorney General’s office without unreasonable delay.
• Third-Party Risk Management: When working with vendors and IT service providers, VITA’s IT Risk Management Standard (SEC520) requires CSBs to ensure that third parties handling sensitive data meet cybersecurity best practices. It emphasizes the importance of assessing and mitigating risks that third parties may introduce to an organization’s information systems.

Key Benefits of a Cybersecurity Risk Assessment

In an era of increasing regulatory complexity and escalating cyber threats, the importance of cybersecurity is no longer contending for attention, it’s a critical component of responsible governance.

• Regulatory Compliance Assurance: Ensures compliance with HIPAA, VITA standards, and Virginia state laws.
• Risk-Based Security Enhancements: Prioritizes cybersecurity investments based on the most critical threats to PHI/ePHI security.
• Stakeholder Confidence: Reinforces proactive security governance to funding agencies, boards, and community stakeholders.
• Validates IT Budgets: Provides independent validation of security concerns and justifies budget requests for cybersecurity improvements.

What’s Included in a Cybersecurity Risk Assessment for CSBs?

Our cybersecurity assessment for a recently completed Virginia CSB engagement provided a comprehensive security analysis, including:

• Technical Vulnerability Scanning: Identified weak points in IT systems that could expose client data.
• Configuration & IT General Controls Review: Assessed network security, access control, and IT policies.
• Data Protection & HIPAA Compliance Assessment: Evaluated safeguards for PHI/ePHI security.
• Risk Prioritization & Action Plan: Provided leadership-friendly reporting outlining critical vs. lower-risk issues.
• Incident Response Readiness Review: Ensured the CSB had a documented plan for handling cyber incidents.

The Cost of Inaction Could Be High

A single weak point could open the door to a data breach or costly disruption, one that could have devasting effects for your organization and clients, impacting compliance, operations, and even public trust.

• Ransomware & Data Breaches Are Rising: Cybercriminals target public sector organizations and healthcare providers at alarming rates.
• Regulatory Fines & Legal Consequences: Non-compliance with HIPAA and Virginia’s cybersecurity laws can lead to substantial fines and legal action.
• Lost Public Trust: A cybersecurity incident that exposes client data can severely damage your CSB’s reputation and funding opportunities.
• Operational Disruptions: Cyberattacks can cripple your IT systems, delaying critical mental health and social services.

Take the First Step in Strengthening Your CSB’s Cybersecurity

Knowing the risks is the first step to building stronger barriers around your organization. The Virginia CSB we recently assessed now has a clear roadmap for improving security. Their Executive Director understands governance-level risks, while their IT team has the justification needed to implement security improvements. Now is the time for other CSBs to follow suit.

At PBMares, our expertise in cybersecurity allows us to deliver custom solutions tailored to your organization’s needs. We provide the guidance and strategies necessary to manage risk, protect sensitive data, and stay compliant with evolving regulations.

Schedule a consultation today to discuss how a cybersecurity risk assessment can enhance your security posture and ensure compliance.

If you have any questions or would like to learn more, feel free to reply to this email or reach out to me directly at amcavoy@pbmares.com or refer to my Contact Page. Let’s work together to protect the critical services your CSB provides to our communities.