Want to reduce security risks? Assess near misses

By Rick Kam
08:03 AM

Life is full of “near misses”: the rear-end collision that didn’t happen, the chest pain that wasn’t a heart attack, the time your child stumbled but didn’t fall. Healthcare organizations also experience their own near misses; that is, they have hundreds, even thousands, of privacy or security incidents involving PHI/PII that never become data breaches.

But there are lessons to be learned from these near misses — they are a treasure trove of information that most CISOs or privacy officers may not be mining to identify their future security vulnerabilities.

In an article in CIO Insight, “Security strategies must be integrated,” the author notes that one of “security’s primary aims is to prevent negative incidents” since it is “almost impossible for organizations to avoid such events.” He says that without a proper analysis of negative incidents — these near misses — that an organization may “not spend money where it’s most needed to reduce the odds of a major data breach or other security incident.” In other words, to reduce data breach risks, an organization needs to look at the incidents that might have been data breaches.

Consistent incident assessment: secret weapon for reducing risk
Under the Breach Notification Final Rule, covered entities must perform an incident risk assessment for every privacy or security incident involving unsecured PHI based on the new compromise standard. Not only that, the methodology used to do these assessments must be consistent from incident to incident.

“Each incident’s risk assessment will be fact-specific, but the manner in which you analyze the four [compromise] factors must be the same,” says Sophia Collaros, chief privacy officer at the University of New Mexico Health Sciences Center.

This consistent or “operational” process for incident assessments is a powerful tool for reducing breach risk. Using a two-step process, organizations can first identify risks, and second, use that information to allocate resources for managing those risks.

1. Analyze trends and identify root causes. Every incident, breach or not, is put through the incident assessment process, which allows CISOs or privacy officers to view all incidents in a consistent way. They can identify trends — a pattern of behavior, a specific threat actor, or technology weakness — that can be the root cause of data incidents. For example, they could discover how many incidents originated in a hospital in Boise, or a cloud provider in Topeka, or how many were insider-caused, or how many were malicious. This provides a more accurate view of probable risk to their organizations.

“We ‘scrubbed’ last-year’s events that were escalated to discover root causes,” one CISO said in a recent whitepaper co-developed with the CISO Executive Network. “In addition, we are expanding our definition of operational incidents beyond those that involve data to include business or IT. We need to analyze these incidents from an operational perspective for root causes.”

2. Make sound risk management investments. The compliance counsel for a financial holding company said that “a true measure to [compliance] success for us is mitigation and corrective action. We track reoccurring issues in [our] software with customized fields of root causes that identify people, process systems, and root-cause departments — in essence, how an incident happened. We can see patterns of issues, and refresh our training and education in these problem areas.”

We have a lot of evidence that preventative controls alone are not sufficient to mitigate risks and that we must begin to allocate more resources to incident response.  This ability to analyze trends and identify root causes enables CISOs to focus security efforts and investments on high-risk areas or causes. They can accurately communicate these risks and recommendations to the board and other top management in a dollar-and-sense kind of way. It provides immutable, understandable evidence for where to best allocate risk management dollars.

Reduce — not eliminate — risk
Despite our best efforts, car accidents happen, people suffer heart attacks, and our children do fall. The same is true for privacy and security incidents. Most incidents will not, thankfully, turn into data breaches.

Consistent incident assessments can further reduce the likelihood of data breaches, and the costly risks they pose to healthcare organizations and their patients.