Ransomware and other cyber attacks barraged healthcare industry headlines in 2017. By December 20, the Identity Theft Resources Center (ITRC) had recorded 1,293 U.S. data breaches in 2017; nearly 30% of them hit the healthcare sector. 78% of provider organizations dealt with ransomware, malware or both in just 12 months. Cybercriminals have emphatically targeted healthcare providers because they collect immense amounts of personal data, and have lagged behind other industries in upgrading to systems with high standard security protections. 2018 is expected to be an even worse year for hospital data breaches than 2017 — just as last year was worse than 2016. It’s imperative that providers once again re-examine their security strategies to keep on top of potential vulnerabilities, starting with organizational security assessments. There is the rub.
Too often, healthcare providers or business associates have not kept up with regular security assessments. Worse, security incidents often are due to risks previously identified in previous security assessments, but not acted upon. No doubt, budget constraints to beefing up IT security are a challenge that many providers must weigh against risk, but today, the risks are huge. Ransomware can put a hospital out of business for days. A related reminder: regular data security assessments conducted within an established risk management program are required by Meaningful Use / MIPS and HIPAA standards. Fortunately, a security assessment can be done with relatively little cost, but a lot of hard work.
Clearly, doing a security assessment is more important now than ever, but only if your organization responds to results by applying necessary remediation through an up to date risk management program. Healthcare executives report year after year that their top priorities include security, but budget and staff constraints often collide with these objectives, resulting in insufficient remedies and closing too few doors to prevent the horse from being stolen. If you have an adequately funded sophisticated risk management program as required by HIPAA, your organization will greatly reduce the risk of cyber attacks and identity theft.
A quick refresher on security risk management:
Risk management is a straightforward process: simply addressing the priorities identified in your (hopefully recent!) risk assessment to develop a HIPAA-compliant roadmap that provides a framework to evaluate, prioritize and implement measures to secure electronic protected health information (ePHI), based on your size and level of risks. The plan must include methodical risk analysis and response planning, and include reasonably comprehensive protective measures and a process for monitoring, reporting, and controlling risks. It also is likely to include investing in tools for risk management, closing risks and identifying lessons learned.
The good news is that decisions you make in your risk management program should save money and resources in the long run, especially if the protections prevent breaches that could impact thousands or even millions of consumers.
Outline for an effective risk management plan:
- Developing and implementing a risk management plan
Coming out of the risk assessment process, you will have a list of risks, far more than you are able to address at any one time (many larger hospitals identify over a hundred risks), due to cost and other resource restraints. Fortunately, both HIPAA and Meaningful Use / MIPS permit you to prioritize your risks, and use that process as a guide to your risk reduction efforts. Risk has two components, both of which must be evaluated:
- Probability of the breach happening
- Consequence / impact of the event. Consider the following examples of security risks, as identified in a mid-sized urban hospital:
|Authorized users viewing protected data without a business need.
|Hackers – denial of service attacks
|Loss of theft
|Failure of non-redundant core networking hardware
These measures, especially that of event probability, are largely based on your organization’s current security environment. They must also be considered in light of the frequency and severity of the many security compromises the industry has experienced in the last year or more.
- Planning which risks to tackle. Under HIPAA and Meaningful Use / MIPS rules, covered entities have significant flexibility in choosing which security measures to use. The following factors should guide your decisions:
- The size, complexity, finances and capabilities of the organization
- The available technical infrastructure, hardware, and software security capabilities
- The costs of security measures vs. the costs of major security breaches
- The probability and criticality of potential risks to ePHI. Take heed. As noted above, these risks have grown exponentially since the first days of HIPAA, and should be addressed accordingly.
- Recognize that your organization must make at least four decisions with regard to a risk:
- Watch the risk – ideally with documented criteria for future action.
- Accept the risk – a documented decision to take no action.
- Transfer the risk – examples include purchasing insurance and outsourcing a capability to a vendor.
- Reduce (mitigate) the risk– by choosing to implement countermeasures to address vulnerabilities.
- Tips to guide your organization in making cost-effective tactical choices:
- Consider the belt and suspenders approach to risk. Two simple counter measures to a vulnerability are often cheaper and easier to implement that one larger one.
- While your immediate concern is likely to be prevention of cyber crime, don’t forget that some elements of security are required by HIPAA. You can’t use the risk management process to avoid doing them. For example, you can’t accept the risk under HIPAA of going without a disaster recovery plan or an identified security officer. And as a practical matter, you shouldn’t be without either one, considering the damage that can be done by cyber crimes such as ransomware attacks,
- Training ranks high among any organization’s most effective strategies for preventing security breaches. Whether deliberately or by accident, employees are frequently the cause of breaches. Make sure your hospital’s staff is alert, aware, and recognizes its responsibility to protect the organization. Regular privacy and security internal training, including news of policy updates is essential.
- Manage your IT business associate agreements. Many breaches of hospital data are caused by business associates that are not sufficiently vigilant. Your BAs should be just as committed to protecting your hospital’s PHI as you are. Their products and services must adhere to privacy and security requirements and EHR systems compatibility between other IT partners. Every provider must have documented, regularly updated business associate agreements with any vendor that has access to PHI.
- Once key decision makers have approved your overall plan, it is time to drill down in formulating a project plan. This will enable smooth and timely implementation of the administrative, technical and physical security controls you have identified as high priority actions. Then, implement the plan without delay.
- Document, document, document.
Documentation of your risk assessment risk management process is required, and should be readily available to IT and security staff. You will need it to follow through on your plan. It will also be critical to your defense if your organization has the misfortune of a security breach and faces an OCR investigation.
- Monitor and respond to changes in the organization’s technical and physical environment, including information systems and the currency of security technology, and respond to changes with adaptive strategies. Any planned infrastructure changes should include a stringent assessment of new potential security vulnerabilities, and options for mitigating them. HIPAA security standards are clear on this point: security measures “must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.”
- Evaluate residual impact to the organization if it is victimized by a cyber attack, and use this analysis to tighten up your risk management program. The impact can be measured by loss of system functionality, degradation of system response time or inability to meet a business mission, dollar losses, loss of public confidence, legal liability, regulatory fines or unauthorized disclosure of data.
Many providers using the guidance above can perform a reasonable and appropriate risk analysis, but some can’t due to inadequate expertise or over-stretched IT staff. Regardless, providers need to invest in effective security activities to prevent breaches, identity theft, ransomware shutdowns — and avoid HIPAA and other legal penalties. If needed, an external certified consultant can provide specialized knowledge and expertise, industry standard methodologies, and objective guidance of the risk analysis and resulting risk management plan. In the end, though, final decisions about risk and risk tolerance must be made by your organization’s governing body.
If you would like to discuss how Phoenix’ expert HIPAA security and privacy consultants can guide you in this critical process, let us know.