Data breaches of patient data at patient provider organizations are an unfortunate fact of life in the healthcare industry—and it is a problem that is growing at an alarming pace. (For more on this, see Gabriel Perna’s story on data security in the October/November issue of Healthcare Informatics, which noted that the number of patients affected by breaches over the past year doubled, from 5.4 million to 10.8 million.)
I recently had an opportunity to speak with Danny Creedon, managing director of Kroll Advisory Solutions in New York, who offered actionable advice on what healthcare providers can do reduce their risk of breaches, which result in monetary penalties as well as damage to the reputation of an organization. “There’s a significant challenge in this new world of cyber-threats and cyber security, and it’s really important, even if you are a small organization and you are sitting on highly confidential patient and health information, that you take those threats seriously,” he says.
At a time when doctors’ offices and hospitals are digitizing their patient information, the risks to digital information are exploding, Creedon notes. “That by itself creates a risk focused industry.” He has put together seven tips to help healthcare organizations get the most out of a Health Insurance Portability and Accountability Act of 1996 (HIPAA) risk analysis.
- When preparing your team, cast a wide net. To get the most comprehensive assessment possible, you’ll want to ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas—from IT and operations to human resources, compliance and legal to other key supervisors or managers. Once you’ve identified these stakeholders, establish protocols for tasks, timelines and communication among the team, just to make sure everything runs smoothly.
Too often an organization keeps the risk assessment or the compliance exercises either at the non-technical level or goes in the other extreme and uses only technical experts. Cross-organizational representation is critical, Creedon says: “You need a full spectrum of participants across the organization to be involved in the compliance exercise, because there are going to be legitimate questions about things like document retention and destruction of media, and those things that are handled at an organizational level; but there also are things like things, how often are fire walls rules reviewed, which are completely on the other end of the spectrum as it relates to highly technical information.” The team leader should be someone with enough visibility to impact activity across the organization, such as the CIO or chief compliance officer, he says.
- Fully scope the risk assessment. Do you know what your compliance obligations are? The HIPAA Security Rule requires “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI) held by the covered entity.” However, if you are working on attesting to Stage 1 meaningful use, your focus will likely be narrowed to that which specifically applies to your certified electronic health record (EHR) technology. For Stage 2, you will need to ensure that you have addressed encryption and/or security of data at rest. Regardless of your compliance requirements, make sure the scope of the assessment is clearly defined, and that your team understands and recognizes their focus.
Aside from meaningful use compliance, there are the broad areas of HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) requirements, Creedon notes. “At a minimum, you should have a broad compliance view of how you are doing as it relates to those longstanding regulations, and then I would layer on meaningful use as you get closer to 2015,” he says.
- Take stock of your data. One of the key components of any assessment is determining how PHI and EPHI are received, stored, transmitted, accessed or disclosed. Once you have fully scoped your assessment, you can begin gathering the relevant data—a good place to start might be reviewing past or existing projects, performing interviews, reviewing documentation, or using your organization’s standard data-gathering techniques, if applicable. Be sure to include data that might be stored with a business associate or third party, or on removable media and portable computing devices. As part of the process, you’ll want to document your methods used to gather EPHI or PHI.
Creedon advises establishing broad categories of information confidentiality, and identifying the types of security procedures required for each type of category; and then getting more granular, assigning the category types to each type of data.
- Address anticipated or known vulnerabilities. It’s likely that you already have identified potential vulnerabilities and addressed the likelihood they would be exploited by a potential threat source. If they fall into the scope of your assessment, you’ll want to document this beforehand. The HIPAA Security Rule requires you to take into account the probability of potential risks to EPHI, which—taken into consideration along with the results of your assessment—will assist you in identifying “reasonably anticipated” threats that you will be required to address.
Vulnerability assessments should focus on both organizational vulnerabilities such as policies, procedures, processes and people, and technical vulnerabilities such as unpatched hardware and software and misconfigured network devices, he says. “It’s very difficult to do technical vulnerability assessments without some automated tool that is going to scroll through hyour network looking for known vulnerabilities."
- Document, document, document. Even though it has been mentioned already, the importance of proper documentation cannot be stressed enough. HHS will require analysis in writing, and the material you’ve gathered throughout your risk assessment will meet that requirement, along with your documentation of the corrective actions taken to remediate any problems uncovered by the assessment.
Creedon says documentation demonstrates that an organization have performed due diligence in its role as the custodian of PHI; and at the same time it provides documentation in the event of regulatory review or in the event of an actual security breach. “It provides powerful support for an organization in the event of a breach to prove that there wasn’t gross negligence, that there was a genuine attempt at risk assessment and addressing the vulnerabilities that were found from a remediation perspective,” he says. He adds that documenting the entire process includes risk assessment, follow-up remediation activities, and an inventory of the remaining items that have yet to be resolved. The introduction of new technology requires an assessment of how it affects the overall risk profile, and the documentation needs to be updated there as well.
- Be prepared for follow-up after the risk assessment is completed. This is critical, particularly for those attesting to meaningful use; a risk assessment isn’t enough. An organization must be willing to “implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” Failure to address identified security gaps and vulnerabilities puts the organization at risk and subject to corrective action.
“You have to update your risk assessment on an ongoing basis, so you take into account what has happened in the last year. How have we introduced new risks, how have we mitigated those risks, to make sure that the HIPAA compliance effort is a living, breathing document, not a once and done,” he says.
- Regularly check on your progress. As a final note, HHS recommends performing risk assessment periodically, particularly after a change in technology or business operations that could adversely affect the security of your PHI or EPHI. Make sure your team is prepared for this ongoing responsibility. Conducting regular risk assessments can potentially stave off vulnerabilities and incidents that could ultimately lead to a data breach, making it a best practice for any organization looking to manage risk.
Creedon advises using the risks you identify in your assessment to drive the recurrence periods. “If I were to manage the process, I would think that areas where there were significant vulnerabilities that were remediated, would be areas that I would want to re-assess maybe twice of year, until I got a level of comfort that would allow me to feel that multiple assessments in a year were not required any more.”