Healthcare CIOs, CISOs, and other information risk management leaders face daunting challenges when it comes to deciding where to apply their limited resources to make the biggest difference in their organization’s cyber risk posture. As I mentioned in my
previous post, healthcare security leaders can be tempted by shiny new objects – i.e., new security tools – that promise to be the panacea to their most pressing security problems.
Cyber security leaders can also be distracted by Executive Board members and other stakeholders who prioritize the cyber threat of the
day. They may respond to cyber attack headlines by button-holing the CISO and asking, “What are we doing about THIS???”
The solution to a scattershot, reactive approach to cyber security is to develop an enterprise cyber risk management system (ECRMS). And the first step in developing an ECRMS, is conducting a HIPAA-compliant risk assessment and analysis.
HIPAA Compliance and Risk Assessment
HIPAA’s Security, Privacy and Breach Notification Rules are designed to ensure the confidentiality, integrity and availability (CIA) of protected health information (PHI). HIPAA’s Security and Privacy Rules apply to any entity that “creates, receives, maintains or transmits protected health information” per
45 C.F.R. § 160.103. This means that whether you are a healthcare provider, a health plan, a healthcare clearinghouse or a business associate of any of this entities, HIPAA applies to you.
The HIPAA Security Rule actually defines three different types of assessments that organizations must conduct in order to be compliant. Those three types of assessments include:
- HIPAA Security Non-Technical Evaluation, a.k.a. Compliance Gap Assessment
- HIPAA Security Technical Evaluation, a.k.a. Technical Testing
- HIPAA Security Risk Assessment/Analysis
The difference between these three types of assessments is a topic for another blog post. What’s important to understand for our purposes
is that organizations must conduct all three types of security assessments in order to be HIPAA compliant. One type of assessment (for
example, Technical Testing or Compliance Gap Assessment) cannot be substituted for another type of assessment (Risk Assessment/Risk
Analysis).
The first step – the foundational step – in developing an enterprise cyber risk management system, is to conduct a security risk assessment and analysis as defined within the
HIPAA Security Rule. Two other information sources help to provide a comprehensive and detailed definition of what a HIPAA-compliant risk assessment looks like: first,
OCR guidance – including the results of OCR enforcement actions and audits – gives a clear picture of what a comprehensive risk analysis includes. Second, NIST standards around information security provide a model for how to properly conduct a risk assessment – and how to start developing a strategic framework once you have the assessment results.
What an OCR-Quality Risk Analysis Entails
At its most basic level, risk analysis includes three primary tasks:
- Identifying risk
- Rating risk
- Prioritizing risk
Identifying risk starts with identifying and documenting every information asset in your organization. Information assets include
all electronic equipment, data systems, programs and applications that are controlled, administered, owned or shared by an organization and which contain, transmit or store ePHI. This includes traditional forms of assets, such as IT systems and applications (e.g., EHR systems, clinical information applications, lab applications, medical billing and claims processing applications, email applications, etc.).
Information assets also include biomedical assets, such as patient monitoring devices, implantable devices, and remote chronic disease
management applications. Internet of Things (IoT) assets must also be included in your asset inventory. (Incidentally, a key challenge for
hospitals and health systems in conducting a comprehensive information asset inventory has been their capability to identify and document
electronic medical devices. New technology from IoMT / HIoT security companies identifies medical devices, device types, software versions and VLAN location via passive observation of biomedical network traffic without threatening a device.)
Risk analysis does not stop with a simple inventory of information assets, however.
Risk has three components: an asset, a threat, and a vulnerability. Adequately identifying risk means addressing each of these components for each information asset. For example, an information asset might be a tablet computer used by staff or clinicians. One threat to that tablet could be theft. Vulnerabilities that create risk when that table is stolen include a lack of encryption, weak passwords, and a lack of data backup. In other words, each information asset can be compromised by many different types of threats. In turn, those threats become real due to the vulnerabilities associated with them.
A comprehensive, HIPAA-compliant risk assessment requires documentation of a considerable amount of detail. It’s easy to see how
healthcare organizations who attempt to conduct an inventory of information assets, with their associated threats and vulnerabilities,
are quickly overwhelmed with pages and pages of spreadsheets.
Rating and Prioritizing Risk
And yet there is more.
Because a bona fide, OCR-compliant risk analysis includes not only identifying information assets, threats and vulnerabilities, but also
rating risk. This involves estimating the likelihood (probability) and impact (degree of harm or loss) on the organization of each possible asset/threat/vulnerability combination.
Which makes our spreadsheet even more complex.
After all information assets have been inventoried, all asset/threat/vulnerability combinations have been documented, and the
likelihood and impact of each potential risk calculated, the result is a “risk rating” for each potential threat.
The beauty of the risk rating is that it allows each healthcare organization to identify, rate and prioritize the particular risks associated with that organization’s unique information asset inventory, threat/vulnerability combinations, and calculated risks.
Each organization is able to establish their own risk threshold. For example, an organization might specify a risk rating of “20” as their threshold. That means that information risk management strategic
priorities would center on mitigating risks for those items that rated 20 or higher. In the example above, security leadership would be able to use this information to make a persuasive case for security tools that
enabled encryption of ePHI contained on tablet computers, as the “25” risk rating indicates this risk is a high priority for this organization.
The Value of a Comprehensive Risk Analysis
Conducting an OCR-quality, security risk assessment and analysis has
value for healthcare organizations beyond assuring compliance with HIPAA
guidelines. As the example above illustrates, a comprehensive risk
analysis helps security leaders not only identify, but also rate and
prioritize enterprise-wide cyber security threats.
The information uncovered by the risk analysis can help security
leaders develop relevant and meaningful cyber risk management systems by
providing a framework for making decisions. With an accurate and
updated security risk assessment in place, security leaders no longer
have to make purchasing decisions based on the strength of a vendor’s
demo, or in reaction to cyber threat headlines. With a security risk
assessment and analysis in place, healthcare security leaders are
empowered to make proactive and strategic decisions about the tools and
strategies that will mitigate their highest priority risks.
In the
third part of this 3-part series, Panaceas, Shiny Objects and
the Importance of Managing Risk in a Healthcare Environment, I will
explore some of the resources, solutions and services that can not only
help security leaders efficiently conduct a security risk analysis, but
also help healthcare security leaders leverage the completed security
risk analysis to develop an enterprise cyber risk management system.
Check out the first blog in this series here: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment–Part 1