Carl Kunkleman talks Security Risk Assessments on CTO Talk
I recently recorded an episode of Matt Ferrari’s podcast series CTO Talk, in which he and I discussed the importance of security risk assessments. The episode originally aired on HealthcareNOW Radio on November 22, and I encourage you to check it out. In the meantime, I thought I’d go ahead and give you a sneak peek into the content.
One of the reasons Matt and I chose this topic is because security risk assessments (SRAs) are now required under MACRA. In fact, 2017 is the base year for 2019 Medicare funding and any covered entity that doesn’t have an SRA in place in 2017 will lose up to 4% of their Medicare distribution in 2019. And, while that can mean a substantial loss in revenue, it’s quite simple to avoid.
Conducting a 3rd party security risk assessment is the first step. And if you think your security is just fine, trust me…it’s not. I’ve done hundreds of SRAs, and I can tell you we always identify gaps, whether high, medium, or low risk, even for the most vigilant organizations. Some of the commonly found gaps that continuously surface in SRAs are: patch management, failure to adequately encrypt PHI – in use, in transit and at rest, and failure to penetration test. In fact, in a recent penetration test at a large health care provider, our ethical hacker was able to gain administrative access in less than 20 minutes. Do you know where your organization’s high, medium and low risks are? Find out before a hacker does!
Five Best Practices for Conducting your Security Risk Assessment
1. Don’t Do it Yourself
The number one piece of advice I have is simply don’t do your first SRA yourself. Few IT organizations have the HIPAA security experience necessary to do a thorough assessment. Do-it-yourself apps and templates either have hundreds of questions that become burdensome and are soon abandoned, or have oversimplified rubrics that can leave you with a false sense of security that actually opens you to greater risk. And, oftentimes the internal teams are too close to the day-to-day workings to be objective. You need to hire someone with deep knowledge of HIPAA and HITRUST who has done hundreds of healthcare-specific SRAs to help you better understand the context and the risk. If you have to report a breach and notify the OCR, the SRA that you performed is going to be your evidence that you have created a culture of compliance and worked to protect PHI.
2. Remind Your Team: It’s About Continuous Improvement
I’ve seen teams get insecure when they find out external experts are coming in. They are concerned that any flaws in their protection of the data perimeter will reflect poorly on them. Let your team know that this is not a witch hunt, and no one is looking to cast blame. It’s about making your practice better every day. Every SRA we’ve performed at ClearDATA has uncovered high, medium and low risk…EVERY SINGLE ONE! Remind your team it’s not a bad thing to identify high risk – it’s a bad thing to NOT identify it, and not address remediation strategies until after a breach occurs.
3. Create a PHI Inventory
All too often, this incredibly important step is often overlooked with in-house assessments. With ever-expanding data sets and mobile proliferation, PHI is everywhere, and often poorly documented or mapped. A big foundational step in building out a strong SRA is documenting your PHI inventory and mapping out where all PHI lives, across various devices, systems and silos. If you don’t know where it lives, you can’t protect it.
4. Assess Across Administrative, Technical and Physical Risks
HIPAA requires SRAs to report and assess on administrative, technical and physical safeguards. This means you will need to dive deep into these three buckets. The administrative safeguards will include policies designed to prevent incidents; they can range from background checks on hiring to termination procedures, and all points in between. The technical safeguards range from intrusion detection and prevention software to firewalls and overall system design. And the physical safeguards will assess what is in place to protect areas where PHI is stored, from locked doors between receptionist desks and patient waiting rooms, to badged entries protecting workspaces. Each of the 50 plus requirements need to be professionally examined and determinations made for level of risk.
5. Create a Remediation Plan
While it is critical to understand not only that you have risk, but also whether it is high, medium or low, it’s equally as important to understand what can be done to remediate it. This is where having external experts can really make the difference. For example, at ClearDATA once we do a security risk assessment, we will deliver two reports – one for the IT team in highly technical terms, and another in layman’s terms for non-technical business leaders. Each report includes suggestions for remediation.
As Matt and I mention in episode #2 of CTO Talks, SRAs help the IT professional keep pace with advancing technologies, identify risk, and be armed with objective evidence to argue for more money and resources. And, the bottom line is this: SRAs are a federal requirement. Not performing one costs you money and opens you to higher risk. The sooner you act the better.
This article was originally published on ClearDATA and is republished here with permission.