Is there a more challenging position anywhere in information security than that of a healthcare organization’s cyber risk management leader? If there is, I can’t think of what it would be. Whether your title is CISO, CSO, CTO, CIO or some variation thereof, the task is daunting.
As we mentioned in
Part 1 of this series, healthcare as an industry has a huge target on its back. Cyber attackers focus on healthcare not only because patient information is valuable, but also because patient lives are at stake. That can make threats such as ransomware attacks more effective. Cyber attacks in other industries – banking, for example – can have devastating financial consequences, but people’s lives aren’t generally at risk, as they are in healthcare.
At the same time, healthcare IT environments are exceedingly complex, which makes managing information security that much more complicated. The healthcare IT ecosystem typically includes dozens – if not hundreds – of applications, including the electronic health record (EHR) system, administrative and operational applications (scheduling, patient tracking, billing, claims, insurance and payer systems and interfaces), clinical applications (patient monitoring systems, radiology information systems, lab results reporting, clinical decision support, patient portals, etc.) and others too numerous to mention.
On top of this, add the countless devices that connect to a healthcare organization’s network, from the desktop computer at the registration desk, to the tablet the physician or nurse uses, to the smart infusion pump at the patient’s bedside, to BYOD devices like the smartphone a patient uses to access lab results through a patient portal.
Enterprise-wide Cyber Risk Assessment
Because of this complexity, no single “shiny object” or new security tool will be sufficient to mitigate all of the critical information security risks in a healthcare environment. As we discussed in
Part 2 of this series, the only way to approach cyber risk management in a complex healthcare organization is to begin with a comprehensive, OCR-quality, security
risk assessment and analysis.
Healthcare organizations must conduct this type of analysis in order to be HIPAA-compliant. But just as important is the fact that healthcare organizations cannot begin to develop a meaningful and effective cyber risk management program without first gathering the information that a comprehensive risk analysis provides.
As mentioned in the
previous post, a security risk analysis essentially boils down to three tasks:
- Identifying risk
- Rating risk
- Prioritizing risk
The HIPAA Security Rule,
OCR Guidance, and
resources developed by NIST provide plenty of details on how to properly conduct a risk assessment and complete these tasks. These resources are freely accessible on the internet. In theory, any healthcare organization could use these resources to conduct and complete an OCR-quality risk analysis without any outside support. However, that’s easier said than done.
Task 1: Identifying Risk
Risk identification begins with creating an information asset inventory that documents each asset that
creates, receives, maintains or transmits
electronic Protected Health Information (ePHI). This includes not just the obvious choices, such as laptops, servers, and enterprise applications, but also less obvious choices, including medical devices, backup media, and nonclinical, internet-connected assets such as building management applications and networks.
As noted in my
previous post, creating an asset inventory is only the first step in risk identification. Risk has three components: an asset, a threat and a
vulnerability. OCR guidance specifies that healthcare organizations must
identify and document threats and vulnerabilities to each asset, in addition to creating an inventory of information assets.
Task 2: Rating Risk
Once you have exhaustively inventoried every aspect of risk – including every asset, and each of the threats and vulnerabilities associated with each asset – the
HIPAA Security Rule and subsequent OCR guidance specifies that you must also estimate the likelihood (probability) and impact (magnitude of loss) of potential harm from each asset/threat/vulnerability combination. This is the risk rating.
NIST provides guidance for these tasks.
NIST SP 800-30, Appendix G, includes several examples of assessment scales related to threat event likelihood. Appendix H, in the same publication, offers
examples of scales for measuring impacts.
Task 3: Prioritizing Risk
After all information assets have been identified; after all potential threats and vulnerabilities have been documented; and after the likelihood and impact of each asset/threat/vulnerability combo has been calculated, each asset/threat/vulnerability combination will have an assigned risk rating.
As part of the cyber risk assessment/analysis process, every healthcare organization should establish a risk threshold. Establishing a risk threshold is part of the information security governance process. The risk threshold will be unique to the organization and will take into account the organization’s unique risks and resources. For example, using the 25-point scale, one organization might establish 15 as their threshold, meaning that any risk with a rating of 15 or below falls into the acceptable risk category, and will not be a priority with respect to mitigation.
A comprehensive information security risk analysis, combined with the organization’s established risk threshold, enables a healthcare organization to make informed, strategic decisions about which cyber security risks require urgent mitigation versus those that can be put on the “back burner” until more resources are available.
The Bottom Line
Conducting a comprehensive risk assessment is necessary for both HIPAA compliance and for establishing the foundation for a healthcare organization’s enterprise cyber risk management system (ECRMS). It is challenging, but not impossible, for a healthcare organization to conduct this analysis using only internal resources and guidance that is available on the internet.
Alternatively, healthcare organizations can use the specialized solutions and professional expertise to quickly and efficiently conduct a comprehensive cyber risk analysis. Because ultimately, completion of the analysis is only the first step.
The sooner a comprehensive security risk analysis is completed, the sooner a healthcare organization can begin addressing vulnerabilities and mitigating high priority risks.
Read more in this series: