Risk Assessments: Overcoming InertiaExperts Offer Timely Advice on Conducting an Analysis
Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
Data breaches are piling up, mobile devices are becoming more common, and yet - even with financial incentives and penalties - many healthcare organizations still aren't taking seriously the risk assessment requirement that's been in place since 2005.
The Office for Civil Rights - a unit of the Department of Health and Human Services - has issued several hefty fines in the wake of breach investigations that determined the organizations weren't keeping up with HIPAA Security Rule requirements, including keeping their risk assessments up to date (see: Alaska HIPAA Penalty: $1.7 Million).
OCR also has discovered in its first round of HIPAA compliance audits that many of the audited organizations hadn't been conducting regular risk assessments, says Linda Sanches, an OCR official involved in supervising the audits. For some of the organizations audited, "HIPAA hasn't been a priority for several years. ... Risk assessments were done six years ago and haven't been looked at since," she says (see: HIPAA Audits: A Preliminary Analysis).
A timely risk assessment is essential because it helps hospitals and physicians "identify potential areas of their administrative, physical and technical environments that are vulnerable and that they may need to mitigate," says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT (see: HITECH Stage 2: How to Prepare).
The 2011 Healthcare Information Security Today Survey showed that 26 percent of healthcare organizations had not yet conducted a risk assessment (the 2012 survey is now available for participation). And a recent survey conducted by HealthcareInfoSecurity for Intel found that nearly 40 percent of healthcare organizations had not conducted a risk assessment in the past year.
Another common problem for healthcare organizations is that "a lot of technical people don't follow through with documentation, so they only conduct risk assessments in their heads," says security specialist Tom Walsh, president of Tom Walsh Consulting.
But the HIPAA audit protocol, which describes what the auditors review, offers "greater clarity on how detailed the policy/procedure documentation needs to be," says Brian Evans, principal at Brian Evans Consulting.
In addition to thoroughly documenting more frequent risk assessments and preparing detailed risk mitigation plans, experts advise healthcare organizations to make sure their assessments address emerging risks, such as the rapid growth of the use of mobile devices, including personally owned equipment used on the job.
"It is extremely common for workers in this industry to use personally owned laptops, tablets and smart phones for work. And it's very often for patient-related uses," says security consultant Kate Borten of The Marblehead Group. As a result, healthcare organizations need to come up with ways to mitigate the risks involved, such as by using a mobile device management system to enforce security controls.
Another emerging risk to consider during assessments is whether employees are using personal devices to open e-mails or attachments that contain sensitive patient information, Walsh says. "You need to assess data leakage."
More than half of all major breaches reported to federal authorities have involved lost or stolen unencrypted electronic devices or media (see: Health Breach Tally Tops 500 Milestone). As a result, healthcare organizations need to assess breach risks and apply encryption as necessary to minimize those risks.
And Walsh points out that Superstorm Sandy offered an important reminder of the risks that natural disasters can pose. Assessing those risks should lead to a comprehensive disaster recovery/business continuity plan, he says. Such a plan must provide detailed downtime procedures that are readily accessible, he stresses. "If you say your med-surg people can find those procedures on the Internet, what good is that if power is out? That's something that's often overlooked."
While a list of potential risks to review is helpful, some organizations need a nudge just to get going with timely assessments. "I still find organizations that haven't conducted a risk analysis," Evans says.
Yet risk assessments have been required under the HIPAA Security Rule since 2005, and the HITECH Act is reinforcing that requirement.
Under the HITECH Act electronic health record incentive program, hospitals and physicians are earning billions of dollars in incentives for using EHRs. A final rule for Stage 2 of the program reinforces the HIPAA requirement to conduct a timely risk assessment, and points, in particular, to the need to protect data stored within EHRs through encryption.
"A lot of folks haven't taken seriously the HIPAA requirement [for risk assessments] until now that it's been incentivized through [HITECH] money," says Daniel Creedon, managing director of information risk assessment at Kroll Advisory, an IT security consulting firm. "I see a trend developing in 2013, 2014, 2015 and that's as electronic health record capabilities are in greater use, so too will risk assessments."
What's the Frequency?
Many experts advise that risk assessments should be updated yearly or whenever a significant IT change is made.
When new hardware is purchased or new software is deployed, the risks posed by the change should be carefully assessed, advises Jennifer Cole, an internal information systems department consultant at UAB Health System, a Birmingham, Ala.-based integrated delivery system. "We try to do assessments for critical applications once a year, or as we implement new software or make changes," she says.
The more regularly organizations conduct risk assessments, the better they get at identifying and mitigating risks, says Kroll's Creedon. "Risk assessments should be done based on the maturity of the assessment model," he says. "If you've only been doing risk assessments every two or three years, and start doing them every six months, you'll become confident that you know your vulnerabilities and have mitigated them. Then moving ahead, you'll be dealing with new issues, not residual problems."
Smaller organizations having difficulty conducting a risk assessment can turn to outside resources.
For example, some consulting firms offer risk assessment tools that help walk organizations through the scoring of risk. Plus, the National Institute of Standards and Technology and other organizations offer risk assessment guidance.
Borten suggests that by using the latest version of the NIST guidance, healthcare organizations can get a much better understanding of fundamentals, such as risks, threats and vulnerabilities. "It's very important that healthcare organizations are aware of this [NIST] resource, use it and develop their own policies," she says (see: Risk Assessments: Expert Advice).
UAB Health System, a huge delivery system with numerous locations, provides in-person training to staff at various locations and department on how to conduct a risk analysis, says Shelia Searson, chief privacy officer at UAB Medical Center. UAB also tapped an outside risk assessment consultant to develop online training for those who can't attend in-person training.
The training makes clear that the process involves much more than assessing risks, Searson stresses. "You need to analyze and mitigate risks. Some organizations seem to think it's a gap analysis, but it's so much more under HIPAA and HITECH."
For example, because UAB conducts extensive research, it takes extra steps to make sure patient information used for research is well-protected. "We have documents and handbooks to help researchers comply with HIPAA as they do their research," Searson says.
It's that kind of attention to detail that needs to be part of a risk assessment strategy.
"People need to be aware that risk assessments aren't easy and they take a lot of time," Searson says. "But they're something you have to do."
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.