• Listen Live NOW!
  • On Demand
  • Ways to Listen
  • All Shows
    • Radio Shows
      • 1st Talk Compliance
      • FINN Voices
      • Harlow on Healthcare
      • Healthcare De Jure
      • Healthcare IT Today
      • Healthcare Upside/Down
      • Health UnaBASHEd
      • Payment Matters
      • PopHealth Week
      • The Incrementalist
      • The Scope with Dr. K
      • The Tate Chronicles
      • The Virtual Shift
      • This Just In Radio Show
      • Trending NOW
      • Value-Based Care Insights
    • Podcast Shows
      • 4sight Health Roundup
      • Ambulatory Healthcare Today
      • AMCP Podcast Series – Listen Up
      • Ask the Educator
      • Beyond the Needle
      • Conversations on Health Care
      • Healthcare Changemakers
      • Healthcare Rap
      • Healthcare Mixtape
      • HealthLaw HotSpot
      • Hello Healthcare Podcast
      • The Brain Trust
      • The Digital Patient
      • The Handoff
    • Monthly Podcast Shows
      • Follow the (Medical) Record
      • How I Transformed This
      • Life-Centered Health Care
      • Paving the Path
      • Tell Me Where IT Hurts
      • The Dish on Health IT
      • The Healthusiasm Podcast
      • Trauma-Informed Life
      • Voices of Change
      • Voices of Self Funding
      • What Consumers Want
      • What’s My Tagline
  • Playlists
  • NursesNOW
    • Nursing News
      • Organizations
      • Podcasts
  • Request Media Kit
  • Contact Us
Event Calendar
HealthcareNOWradio.comHealthcareNOWradio.com
  • Listen Live NOW!
  • On Demand
  • Ways to Listen
  • All Shows
    • Radio Shows
      • 1st Talk Compliance
      • FINN Voices
      • Harlow on Healthcare
      • Healthcare De Jure
      • Healthcare IT Today
      • Healthcare Upside/Down
      • Health UnaBASHEd
      • Payment Matters
      • PopHealth Week
      • The Incrementalist
      • The Scope with Dr. K
      • The Tate Chronicles
      • The Virtual Shift
      • This Just In Radio Show
      • Trending NOW
      • Value-Based Care Insights
    • Podcast Shows
      • 4sight Health Roundup
      • Ambulatory Healthcare Today
      • AMCP Podcast Series – Listen Up
      • Ask the Educator
      • Beyond the Needle
      • Conversations on Health Care
      • Healthcare Changemakers
      • Healthcare Rap
      • Healthcare Mixtape
      • HealthLaw HotSpot
      • Hello Healthcare Podcast
      • The Brain Trust
      • The Digital Patient
      • The Handoff
    • Monthly Podcast Shows
      • Follow the (Medical) Record
      • How I Transformed This
      • Life-Centered Health Care
      • Paving the Path
      • Tell Me Where IT Hurts
      • The Dish on Health IT
      • The Healthusiasm Podcast
      • Trauma-Informed Life
      • Voices of Change
      • Voices of Self Funding
      • What Consumers Want
      • What’s My Tagline
  • Playlists
  • NursesNOW
    • Nursing News
      • Organizations
      • Podcasts
  • Request Media Kit
  • Contact Us

Carl Kunkleman talks Security Risk Assessments on CTO Talk

Dec 12, 2017 | Posted by Industry Expert | Health IT, Our Shows |

By Carl Kunkleman, Senior VP, Co-Founder of ClearDATA
Twitter: @cleardatacloud
CTO Talk Weekdays at 3pm ET

I recently recorded an episode of Matt Ferrari’s podcast series CTO Talk, in which he and I discussed the importance of security risk assessments. The episode originally aired on HealthcareNOW Radio on November 22, and I encourage you to check it out. In the meantime, I thought I’d go ahead and give you a sneak peek into the content.

One of the reasons Matt and I chose this topic is because security risk assessments (SRAs) are now required under MACRA. In fact, 2017 is the base year for 2019 Medicare funding and any covered entity that doesn’t have an SRA in place in 2017 will lose up to 4% of their Medicare distribution in 2019. And, while that can mean a substantial loss in revenue, it’s quite simple to avoid.

Conducting a 3rd party security risk assessment is the first step. And if you think your security is just fine, trust me…it’s not. I’ve done hundreds of SRAs, and I can tell you we always identify gaps, whether high, medium, or low risk, even for the most vigilant organizations. Some of the commonly found gaps that continuously surface in SRAs are: patch management, failure to adequately encrypt PHI – in use, in transit and at rest, and failure to penetration test. In fact, in a recent penetration test at a large health care provider, our ethical hacker was able to gain administrative access in less than 20 minutes. Do you know where your organization’s high, medium and low risks are? Find out before a hacker does!

Five Best Practices for Conducting your Security Risk Assessment

1. Don’t Do it Yourself
The number one piece of advice I have is simply don’t do your first SRA yourself. Few IT organizations have the HIPAA security experience necessary to do a thorough assessment. Do-it-yourself apps and templates either have hundreds of questions that become burdensome and are soon abandoned, or have oversimplified rubrics that can leave you with a false sense of security that actually opens you to greater risk. And, oftentimes the internal teams are too close to the day-to-day workings to be objective. You need to hire someone with deep knowledge of HIPAA and HITRUST who has done hundreds of healthcare-specific SRAs to help you better understand the context and the risk. If you have to report a breach and notify the OCR, the SRA that you performed is going to be your evidence that you have created a culture of compliance and worked to protect PHI.

2. Remind Your Team: It’s About Continuous Improvement
I’ve seen teams get insecure when they find out external experts are coming in. They are concerned that any flaws in their protection of the data perimeter will reflect poorly on them. Let your team know that this is not a witch hunt, and no one is looking to cast blame. It’s about making your practice better every day. Every SRA we’ve performed at ClearDATA has uncovered high, medium and low risk…EVERY SINGLE ONE! Remind your team it’s not a bad thing to identify high risk – it’s a bad thing to NOT identify it, and not address remediation strategies until after a breach occurs.

3. Create a PHI Inventory
All too often, this incredibly important step is often overlooked with in-house assessments. With ever-expanding data sets and mobile proliferation, PHI is everywhere, and often poorly documented or mapped. A big foundational step in building out a strong SRA is documenting your PHI inventory and mapping out where all PHI lives, across various devices, systems and silos. If you don’t know where it lives, you can’t protect it.

4. Assess Across Administrative, Technical and Physical Risks
HIPAA requires SRAs to report and assess on administrative, technical and physical safeguards. This means you will need to dive deep into these three buckets. The administrative safeguards will include policies designed to prevent incidents; they can range from background checks on hiring to termination procedures, and all points in between. The technical safeguards range from intrusion detection and prevention software to firewalls and overall system design. And the physical safeguards will assess what is in place to protect areas where PHI is stored, from locked doors between receptionist desks and patient waiting rooms, to badged entries protecting workspaces. Each of the 50 plus requirements need to be professionally examined and determinations made for level of risk.

5. Create a Remediation Plan
While it is critical to understand not only that you have risk, but also whether it is high, medium or low, it’s equally as important to understand what can be done to remediate it. This is where having external experts can really make the difference. For example, at ClearDATA once we do a security risk assessment, we will deliver two reports – one for the IT team in highly technical terms, and another in layman’s terms for non-technical business leaders. Each report includes suggestions for remediation.

As Matt and I mention in episode #2 of CTO Talks, SRAs help the IT professional keep pace with advancing technologies, identify risk, and be armed with objective evidence to argue for more money and resources. And, the bottom line is this: SRAs are a federal requirement. Not performing one costs you money and opens you to higher risk. The sooner you act the better.

This article was originally published on ClearDATA and is republished here with permission.

Share on twitter
Twitter
Share on linkedin
Linkedin
Share on facebook
Facebook
Share on pinterest
Pinterest
Share on reddit
Reddit
Share on email
Email
Share this...
Tags: Carl KunklemanClearDATACTO TalkMatt Ferrarisecurity risk assessment

Radio for the Healthcare Industry

No HTML5 audio playback capabilities for this browser. Use Chrome Browser!

Categories

Follow Us on Twitter

My Tweets

About HealthcareNOWRadio.com

HealthcareNOWradio.com is an Internet radio station operated and produced as part of Answers Media Network. The station offers interviews, and commentary from industry leaders in healthcare and health information technology, as well as originally produced programming hosted by industry leaders. Listen on any device 24/7. You can also subscribe to get notification when a new show airs.

Sign Up for Our e-News Digest

Get notified when a new show airs or when your favorites are available as podcasts. Sign up here.

Our News Media Site

Connect with Us

Contact Us

Contact a Host

Media Kit

Listening Guide

 

Follow Us

Our Radio Hosts on Twitter

Tweets by @HCNowRadio

©2023 Answers Media Company, LLC

  • HealthcareNOW Radio Media Kit
  • Contact Us
  • Our Privacy Policy
  • Our Guests and Recording Policy
Prev Next