Financial institutions are worried about our money (and theirs), and invest accordingly in security. Healthcare organizations are concerned about the health and well being of their patients (and their institutions) – but don’t invest similarly. But the risks to healthcare providers are now just as high and growing daily, and you, as a healthcare executive, must know about and mitigate them. In this post we provide the most important internal security questions any healthcare provider should receive positive answers to, if it hopes to thwart cyber assailants. Consider these facts:

• Healthcare records for one in three Americans were breached in 2015, a dramatic increase over 2014 (almost 60x!)  The healthcare industry accounted for 42 percent of major data breaches reported in 2014 according to the Identity Theft Resource Center.
• Hacking is now the #1 cause of healthcare security breaches, a spot previously held by lost/stolen devices.
• The HIPAA Police are coming – OCR has indicated they plan to conduct about 400 proactive security audits in 2016 – and that doesn’t include the investigation-driven activity they’ve been doing.
• That investigative activity has yielded increasingly large fines, adding significantly to the cost of security breaches – and that’s without including potential penalties from failure to meet Meaningful Use / MIPS security requirements.

As an executive, you’ve got to be concerned. The challenge you face is that security is a unique knowledge set, and one that, as a non-IT executive, you aren’t likely to have. So how can you determine if your organization is at significant risk? Here’s my list of  the top 11 questions that need answers in order to have enough information about your current security status to enable educated judgements and inform security strategies that will work:

1. What does your Security Officer really do, and how does he or she fit into the organization?  Ideally, the Security Officer is someone outside the IT organization, but with IT knowledge.   If your organization isn’t large enough to justify a full time security officer, this will more commonly be someone in IT. In either scenario:
   • Make sure that the Security Officer has sufficient hours budgeted to work on security.   Often, someone in the technical side of the IT department is assigned to security, but has so much other work that security-related work continually takes a back seat.
   • How “independent” is your Security Officer from IT leadership?   Is there a reporting relationship other than the CIO on security matters? There should be. The danger here is of the fox guarding the hen house.
   • How much authority does the Security Officer have? Does he or she have direct access to senior management in providing reports and recommendations? The answer should be yes.
   • Consider retaining a third party to assess security from time to time.   We’ve done hundreds of these reviews, and often easily spot issues that are missed by internal resources.
2.  Ask your IT leadership to provide a copy of the security management plan, i.e. formal documentation that there is a diligent process to manage security. I can’t teach you how to evaluate a security management plan in an article.   You should, however, make sure that there is such a plan, that it’s several dense pages, and is long on specificity and short on fluff.  Review it with a critical eye to understand what specific people in the organization must do, and ask for documentation on some of their actual activities.
3. Ask your IT leadership or Security Officer to provide copies of the two most recent risk analyses. The risk analysis is an essential document that provides an assessment of the security risks your organization faces, and an evaluation of the level of risk each poses. This is the first item your organization will be asked for in any privacy or security breach investigation, and is also included in CMS Meaningful Use / MIPS audits. Generally speaking, if the last risk analysis is over a year old it is not sufficiently up to date to provide a reliable picture of your organization’s security status.
   Look to ensure that there has been progress in reducing risk between the two analyses.   New and ongoing projects should have been lowering some risks each year, and some risks may have escalated as a result of the changing threat landscape.   If successive risk analyses don’t vary significantly, your security staff is probably either not doing the security work needed, or isn’t paying enough attention to doing precise risk analyses. If you’d like to know more about risk analysis, download our paper on risk management.
   
4. Ask for an inventory of all the devices that connect to your network, and their encryption status. What items are on this inventory per se isn’t the most important factor here; but these follow up questions are:
   • How easy was it to get? This inventory should be available (or accessible through generation by the asset management system) at any time.
   • Do you trust the contents of the inventory?  You can spot check its thoroughness and accuracy by picking specific devices in the hospital and locating them on the inventory.
   • What encrypted devices are included? Every device including the mobile devices? Hit or miss? You certainly want to see encryption at least on the mobile devices, and no obvious holes.   However it is a big mistake to have only partially implemented encryption; if the organization has an unfinished encryption project the risks remaining are obvious. Aside from the inherent dangers of unwanted penetration, the OCR levies large fines for acknowledged risks where remediation projects have stalled out.
5. Ask for a Business Associate Agreement (BAA) for three or four of your vendors. Choose vendors that the organization has worked with for some time.   Factors to evaluate:
   • How easy was it to get these agreements? Is there an accessible archive, or did someone have to look around for them? Do the agreements include a signature date after January 25, 2013, when the Final Security Rule (the “omnibus” HIPAA Rulle) was published, or even better September 23, 2013, when the Rule became effective?
   • How current is the BAA’s content? Requirements for business associate agreements have changed since the early days of HIPAA. For example, language in the section about accounting of disclosures should say that if the Business Associate maintains records in electronic form, it will account for ALL disclosures for at least a 3-year period.  The original HIPAA requirement excluded many disclosures but the accounting period lasted 6 years.
   • Do the BAAs include language requiring the vendors to obtain BAAs for all their subcontractors that are working with PHI?   If you are concerned that the vendor may not have complied with this measure, repeat the BAA request with known subcontractors your organization is using, and check for the presence of this requirement in their BAAs.
6. What is your budget for security? According to a new study conducted by HIMSS Analytics and Symantec,  52 percent of responding hospitals dedicate zero to 3 percent of their IT budget to security, and only 28 percent spend between 3 and 6 percent. (By contrast, a 2015 SANS study reported that few financial services organizations spend less than 6% of their IT budgets on security, and most organizations spend well over 10% and up to 25%.) If your security spend is on the low side of the hospital numbers above, you should determine why. This could be a sign of insufficient security in your hospital overall. Also, determine that there are regular, budgeted expenditures for security, and that there have been over time. You will have to spend money regularly on security to make it work. As technologies change and security risks increase, a sustainable security program must include regular updates and different and/or additional spending.
7. What security training have you (personally) and the hospital’s staff received over the last year? The barest minimum to be compliant with HIPAA would be some kind of annual refresher training, such as an online security education course.  Ideally,  there should be more frequent communications about security issues, e.g. posters, reminder emails, email notices to essential staff about major recent security breaches, etc. as part of creating a compliant security culture.
8. What activity logs do particular applications produce? Who reviews them? Certified EHRs offer an appropriate level of logging, and network software and equipment should have significant logs.  The most important thing is that the security officer knows what logs are out there. In addition, the answer to the second question above should not be: “We use these logs whenever we suspect an issue.” The right answer describes proactive monitoring — using the logs to find potential issues, not just to investigate suspected ones.
9. What is your approach to making sure that PHI isn’t transmitted by email? Ideally, your email software or appliance looks for PHI and auto-encrypts it. Manual encryption built into email technology which relies on user identification of emails that should be encrypted is far less effective.   Mandating encryption by users before file transmission probably fails more often than not. This is an area where an audit is advisable. Look at the last 100 emails with attachments, and scan for PHI.
10. If your organization includes hospital owned clinics, how are their security needs addressed? It’s all too easy to let attention go with outside clinics’ security.   It’s substantially harder, however, to justify this omission. Clinics need equivalent policies, even if the implementation procedures are different; they are equally at risk for hacking and malware activity, and need the same protections.
11. When is the last time network penetration testing was done? Were the results addressed? For our outsourcing clients, we do internal and external vulnerability scanning monthly. Any interval less than quarterly is very risky.  If the answer is more than a year (or that things haven’t changed enough to justify re-scanning), get penetration testing immediately and set up a regular frequent schedule that is enforced.

If you’ve worked through the above questions and you feel relieved, you’re fortunate. However, unless you are a very large hospital organization with a heavy continuing investment in security, or have a very diligent and influential Security Officer, you probably won’t feel relieved. Either way, no one in a hospital today should bask in a “been there done that” sense of security.  The only thing changing faster than your IT environment is the threat landscape, and we all must keep up with it.

If you’ve reviewed these questions and would like to know more — or if some of the answers you obtain concern you, give us a call. We’ve provided security assessments and developed sustainable security programs for over 100 hospitals, and we’d love to help. You can call me directly at 214-396-5134, or send us an email here. We will respond within 24 hours.