By John DeGaspari
Data breaches of patient data at patient provider organizations are an unfortunate fact of life in the healthcare industry—and it is a problem that is growing at an alarming pace. (For more on this, see Gabriel Perna’s story on data security in the October/November issue of Healthcare Informatics, which noted that the number of patients affected by breaches over the past year doubled, from 5.4 million to 10.8 million.)
I recently had an opportunity to speak with Danny Creedon, managing director of Kroll Advisory Solutions in New York, who offered actionable advice on what healthcare providers can do reduce their risk of breaches, which result in monetary penalties as well as damage to the reputation of an organization. “There’s a significant challenge in this new world of cyber-threats and cyber security, and it’s really important, even if you are a small organization and you are sitting on highly confidential patient and health information, that you take those threats seriously,” he says.
At a time when doctors’ offices and hospitals are digitizing their patient information, the risks to digital information are exploding, Creedon notes. “That by itself creates a risk focused industry.” He has put together seven tips to help healthcare organizations get the most out of a Health Insurance Portability and Accountability Act of 1996 (HIPAA) risk analysis.
Too often an organization keeps the risk assessment or the compliance exercises either at the non-technical level or goes in the other extreme and uses only technical experts. Cross-organizational representation is critical, Creedon says: “You need a full spectrum of participants across the organization to be involved in the compliance exercise, because there are going to be legitimate questions about things like document retention and destruction of media, and those things that are handled at an organizational level; but there also are things like things, how often are fire walls rules reviewed, which are completely on the other end of the spectrum as it relates to highly technical information.” The team leader should be someone with enough visibility to impact activity across the organization, such as the CIO or chief compliance officer, he says.
Aside from meaningful use compliance, there are the broad areas of HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) requirements, Creedon notes. “At a minimum, you should have a broad compliance view of how you are doing as it relates to those longstanding regulations, and then I would layer on meaningful use as you get closer to 2015,” he says.
Creedon advises establishing broad categories of information confidentiality, and identifying the types of security procedures required for each type of category; and then getting more granular, assigning the category types to each type of data.
Vulnerability assessments should focus on both organizational vulnerabilities such as policies, procedures, processes and people, and technical vulnerabilities such as unpatched hardware and software and misconfigured network devices, he says. “It’s very difficult to do technical vulnerability assessments without some automated tool that is going to scroll through hyour network looking for known vulnerabilities."
Creedon says documentation demonstrates that an organization have performed due diligence in its role as the custodian of PHI; and at the same time it provides documentation in the event of regulatory review or in the event of an actual security breach. “It provides powerful support for an organization in the event of a breach to prove that there wasn’t gross negligence, that there was a genuine attempt at risk assessment and addressing the vulnerabilities that were found from a remediation perspective,” he says. He adds that documenting the entire process includes risk assessment, follow-up remediation activities, and an inventory of the remaining items that have yet to be resolved. The introduction of new technology requires an assessment of how it affects the overall risk profile, and the documentation needs to be updated there as well.
“You have to update your risk assessment on an ongoing basis, so you take into account what has happened in the last year. How have we introduced new risks, how have we mitigated those risks, to make sure that the HIPAA compliance effort is a living, breathing document, not a once and done,” he says.
Creedon advises using the risks you identify in your assessment to drive the recurrence periods. “If I were to manage the process, I would think that areas where there were significant vulnerabilities that were remediated, would be areas that I would want to re-assess maybe twice of year, until I got a level of comfort that would allow me to feel that multiple assessments in a year were not required any more.”