At the same time the government is encouraging healthcare providers, doctors and insurance companies to digitize healthcare information, the landscape for attacking that info is increasing dramatically. Data beaches occur routinely, but data security experts warn about the vastly higher cost of waiting until a breach occurs, than doing the upfront work to prevent it.
"A security breach is an incredibly expensive problem," said Danny Creedon, managing director at Kroll Advisory Solutions, a company that deals in risk mitigation and response. "There's significant cost surrounding investigation, notification, remediating what occurred and putting in to place services like credit monitoring and identify theft service monitoring that have a monthly cost per person and remain in effect for some time.
"Unfortunately," he added, "most healthcare organizations don't take data security seriously until there's a breach," continued Creedon. "They never seem to have funds available to appropriately support a data security program until they actually have a breach. Then the funds seem endless."
It's more cost effective to perform risk assessment and remediate identified vulnerabilities now then to go through a breach response later. Creedon offered seven low-cost tips for healthcare providers or trading partners to perform self-risk assessment.
1. Cast a wide net. To get the most comprehensive assessment possible healthcare organizations will want to ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas like IT and operations to human resources, or compliance and legal to other key supervisors or managers. Once those stakeholders have been identified, the next step is to establish protocols for tasks, timelines and communication among the team to ensure everything runs as smoothly as possible.
2. Fully scope the risk assessment. "During risk assessment, too many people focus on the technical side of things and forget about the organizational concern, which includes policy and procedures. Or, vice versa," said Creedon. Providers need to know the full scope of their compliance obligations. The HIPAA Security Rule requires "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI) held by the covered entity." However, if organizations are working on attesting to Stage 1 meaningful use, their focus will likely be narrowed to that which specifically applies to certified electronic health record (EHR) technology. For Stage 2, they'll need to ensure that they have addressed encryption and/or security of data at rest. Regardless of compliance requirements, make sure the scope of the assessment is clearly defined, and that teams understands and recognize the focus.