At the same time the government is encouraging healthcare providers, doctors and insurance companies to digitize healthcare information, the landscape for attacking that info is increasing dramatically. Data beaches occur routinely, but data security experts warn about the vastly higher cost of waiting until a breach occurs, than doing the upfront work to prevent it.
"A security breach is an incredibly expensive problem," said Danny Creedon, managing director at Kroll Advisory Solutions, a company that deals in risk mitigation and response. "There's significant cost surrounding investigation, notification, remediating what occurred and putting in to place services like credit monitoring and identify theft service monitoring that have a monthly cost per person and remain in effect for some time.
"Unfortunately," he added, "most healthcare organizations don't take data security seriously until there's a breach," continued Creedon. "They never seem to have funds available to appropriately support a data security program until they actually have a breach. Then the funds seem endless."
It's more cost effective to perform risk assessment and remediate identified vulnerabilities now then to go through a breach response later. Creedon offered seven low-cost tips for healthcare providers or trading partners to perform self-risk assessment.
1. Cast a wide net. To get the most comprehensive assessment possible healthcare organizations will want to ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas like IT and operations to human resources, or compliance and legal to other key supervisors or managers. Once those stakeholders have been identified, the next step is to establish protocols for tasks, timelines and communication among the team to ensure everything runs as smoothly as possible.
2. Fully scope the risk assessment. "During risk assessment, too many people focus on the technical side of things and forget about the organizational concern, which includes policy and procedures. Or, vice versa," said Creedon. Providers need to know the full scope of their compliance obligations. The HIPAA Security Rule requires "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI) held by the covered entity." However, if organizations are working on attesting to Stage 1 meaningful use, their focus will likely be narrowed to that which specifically applies to certified electronic health record (EHR) technology. For Stage 2, they'll need to ensure that they have addressed encryption and/or security of data at rest. Regardless of compliance requirements, make sure the scope of the assessment is clearly defined, and that teams understands and recognize the focus.
3. Take stock of your data. One of the key components of any assessment is determining how personal health information (PHI) and electronic personal health information (EPHI) are received, stored, transmitted, accessed or disclosed. "Once you have fully scoped your assessment, you can begin gathering the relevant data," Creedon said. "A good place to start might be reviewing past or existing projects, performing interviews, reviewing documentation or using your organization's standard data-gathering techniques, if applicable. Be sure to include data that might be stored with a business associate or third party, or on removable media and portable computing devices. As part of the process, you'll want to document your methods used to gather EPHI or PHI."
4. Address anticipated or known vulnerabilities. Companies usually already know where their potential vulnerabilities lie, and have addressed the likelihood they may be exploited by a potential threat source. "If they fall into the scope of your assessment, you'll want to document this beforehand," said Creedon. "The HIPAA Security Rule requires you to take into account the probability of potential risks to EPHI, which - taken into consideration along with the results of your assessment - will assist you in identifying 'reasonably anticipated' threats that you will be required to address."
5. Document, document, document. Risk assessment can be a long and tedious process. Documenting it all is an imperative part. HHS will require the analysis in writing, including material gathered and the corrective actions took to remediate problems uncovered by the assessment. Not only do those reports then become a historical document for an organization's administration to refer to in the future, they're also proof that a provider has performed due-diligence around responsibilities for storing confidential data. "It shows you made a sincere attempt to protect data and were acting in good faith," included Creedon.
6. Follow up. Be prepared to follow-up after the risk assessment is completed. "This is critical, particularly for those attesting to Meaningful Use," Creedon said. "An organization must be willing to 'implement security updates as necessary and correct identified security deficiencies as part of its risk management process.' Failure to address identified security gaps and vulnerabilities puts the organization at risk and subject to corrective action."
7. Regularly check on your progress. Risk assessment isn't a "one and done" process. It needs to be done periodically, especially after a change in technologies, administration, regulations, or business operations that could adversely affect the security of PHI or EPHI. "Make sure your team is prepared for this ongoing responsibility," suggested Creedon. "Conducting regular risk assessments – even if it's just segments at a time – can potentially stave off vulnerabilities and incidents that could ultimately lead to a data breach, making it a best practice for any organization looking to manage risk."