Healthcare CIOs, CISOs, and other information risk management leaders face daunting challenges when it comes to deciding where to apply their limited resources to make the biggest difference in their organization’s cyber risk posture. As I mentioned in my previous post, healthcare security leaders can be tempted by shiny new objects – i.e., new security tools – that promise to be the panacea to their most pressing security problems.
Cyber security leaders can also be distracted by Executive Board members and other stakeholders who prioritize the cyber threat of the day. They may respond to cyber attack headlines by button-holing the CISO and asking, “What are we doing about THIS???”
The solution to a scattershot, reactive approach to cyber security is to develop an enterprise cyber risk management system (ECRMS). And the first step in developing an ECRMS, is conducting a HIPAA-compliant risk assessment and analysis.
HIPAA Compliance and Risk Assessment
HIPAA’s Security, Privacy and Breach Notification Rules are designed to ensure the confidentiality, integrity and availability (CIA) of protected health information (PHI). HIPAA’s Security and Privacy Rules apply to any entity that “creates, receives, maintains or transmits protected health information” per 45 C.F.R. § 160.103. This means that whether you are a healthcare provider, a health plan, a healthcare clearinghouse or a business associate of any of this entities, HIPAA applies to you.
The HIPAA Security Rule actually defines three different types of assessments that organizations must conduct in order to be compliant. Those three types of assessments include:
- HIPAA Security Non-Technical Evaluation, a.k.a. Compliance Gap Assessment
- HIPAA Security Technical Evaluation, a.k.a. Technical Testing
- HIPAA Security Risk Assessment/Analysis
The difference between these three types of assessments is a topic for another blog post. What’s important to understand for our purposes is that organizations must conduct all three types of security assessments in order to be HIPAA compliant. One type of assessment (for example, Technical Testing or Compliance Gap Assessment) cannot be substituted for another type of assessment (Risk Assessment/Risk Analysis).
The first step – the foundational step – in developing an enterprise cyber risk management system, is to conduct a security risk assessment and analysis as defined within the HIPAA Security Rule. Two other information sources help to provide a comprehensive and detailed definition of what a HIPAA-compliant risk assessment looks like: first, OCR guidance – including the results of OCR enforcement actions and audits – gives a clear picture of what a comprehensive risk analysis includes. Second, NIST standards around information security provide a model for how to properly conduct a risk assessment – and how to start developing a strategic framework once you have the assessment results.
What an OCR-Quality Risk Analysis Entails
At its most basic level, risk analysis includes three primary tasks:
- Identifying risk
- Rating risk
- Prioritizing risk
Identifying risk starts with identifying and documenting every information asset in your organization. Information assets include all electronic equipment, data systems, programs and applications that are controlled, administered, owned or shared by an organization and which contain, transmit or store ePHI. This includes traditional forms of assets, such as IT systems and applications (e.g., EHR systems, clinical information applications, lab applications, medical billing and claims processing applications, email applications, etc.).
Information assets also include biomedical assets, such as patient monitoring devices, implantable devices, and remote chronic disease management applications. Internet of Things (IoT) assets must also be included in your asset inventory. (Incidentally, a key challenge for hospitals and health systems in conducting a comprehensive information asset inventory has been their capability to identify and document electronic medical devices. New technology from companies such as CyberMDX, CloudPost, Zingbox and others identifies medical devices, device types, software versions and VLAN location via passive observation of biomedical network traffic without threatening a device.)
Risk analysis does not stop with a simple inventory of information assets, however. Risk has three components: an asset, a threat, and a vulnerability. Adequately identifying risk means addressing each of these components for each information asset. For example, an information asset might be a tablet computer used by staff or clinicians. One threat to that tablet could be theft. Vulnerabilities that create risk when that table is stolen include a lack of encryption, weak passwords, and a lack of data backup. In other words, each information asset can be compromised by many different types of threats. In turn, those threats become real due to the vulnerabilities associated with them.
A comprehensive, HIPAA-compliant risk assessment requires documentation of a considerable amount of detail. It’s easy to see how healthcare organizations who attempt to conduct an inventory of information assets, with their associated threats and vulnerabilities, are quickly overwhelmed with pages and pages of spreadsheets.
Rating and Prioritizing Risk
And yet there is more.
Because a bona fide, OCR-compliant risk analysis includes not only identifying information assets, threats and vulnerabilities, but also rating risk. This involves estimating the likelihood (probability) and impact (degree of harm or loss) on the organization of each possible asset/threat/vulnerability combination.
Which makes our spreadsheet even more complex:
After all information assets have been inventoried, all asset/threat/vulnerability combinations have been documented, and the likelihood and impact of each potential risk calculated, the result is a “risk rating” for each potential threat.
The beauty of the risk rating is that it allows each healthcare organization to identify, rate and prioritize the particular risks associated with that organization’s unique information asset inventory, threat/vulnerability combinations, and calculated risks.
Each organization is able to establish their own risk threshold. For example, an organization might specify a risk rating of “20” as their threshold. That means that information risk management strategic priorities would center on mitigating risks for those items that rated 20 or higher. In the example above, security leadership would be able to use this information to make a persuasive case for security tools that enabled encryption of ePHI contained on tablet computers, as the “25” risk rating indicates this risk is a high priority for this organization.
The Value of a Comprehensive Risk Analysis
Conducting an OCR-quality, security risk assessment and analysis has value for healthcare organizations beyond assuring compliance with HIPAA guidelines. As the example above illustrates, a comprehensive risk analysis helps security leaders not only identify, but also rate and prioritize enterprise-wide cyber security threats.
The information uncovered by the risk analysis can help security leaders develop relevant and meaningful cyber risk management systems by providing a framework for making decisions. With an accurate and updated security risk assessment in place, security leaders no longer have to make purchasing decisions based on the strength of a vendor’s demo, or in reaction to cyber threat headlines. With a security risk assessment and analysis in place, healthcare security leaders are empowered to make proactive and strategic decisions about the tools and strategies that will mitigate their highest priority risks.
It’s probably also become clear that conducting an OCR-quality, security risk assessment is not a simple undertaking. Fortunately, it is not necessary to “reinvent the wheel” in order to conduct a comprehensive security risk assessment.
In addition to the language of the HIPAA Privacy, Security and Breach Notification Rules, OCR Guidance, and NIST resources, Clearwater Compliance has developed resources, solutions and services that help healthcare organizations quickly conduct an OCR-quality security assessment.
In the third part of this 3-part series, Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment, I will explore some of the resources, solutions and services that can not only help security leaders efficiently conduct a security risk analysis, but also help healthcare security leaders leverage the completed security risk analysis to develop an enterprise cyber risk management system.
Read more in this series: