D'Arcy Gue

What Happens If You Don’t Have an Adequate Security Risk Analysis?

March 27, 2014

HIPAA & Security 5 Minute Read

In my recent posts, I’ve discussed the critical nature of the Security Risk Analysis. The identification and prioritization of risks is the foundation of any information security program. Unfortunately, I often find providers unwilling to spend the time and money to do a proper risk analysis and the downstream effects on their information security program and the facility can be devastating.

Here are just four of the negative effects of not having a good security risk analysis:

1) You Can’t Get the Attention You Need to Spend Money on the Right Things

I’ve worked with Security Officers and CIOs for years and they almost always bemoan the fact that they can’t get the funding, resources, and attention they need from the executive team for security related projects. Projects that have more obvious clinical and financial benefit seem to always take priority.

One of the reasons for this is that security priorities are somewhat nebulous. Unlike a new EMR or Revenue Cycle system, where the need is obvious – doctors and nurses are complaining about the EMR, and the CFO wants to get more revenue, it’s not always clear to decision makers what the benefits of a security project are, and it’s rare to find a doctor or nurse complaining loudly that their passwords aren’t complex enough.

A good security risk analysis makes getting attention for your security needs much easier. When you’ve got a spreadsheet to lay down in front of the executives, with red colored cells indicating high risk areas, and a sensible plan for addressing the highest risks, you are in a much better position to argue for resources.

2) You Spend Money on the Wrong Things

Most security officers have been in this position at least once. A good salesman has cornered your CEO at a meeting or taken him to lunch, scared him with tales of fines and breaches, and convinced him that the only solution is the Securomatic-9000 single sign-on system that will only cost $1.5 million dollars and take 60 days (that ends up being nine months) to provide a single sign on to every system in the organization (that ends up only working on 80 percent of systems because of technical limitations).

I’m not putting down single sign-on technology – in some cases it’s exactly the right solution. Many times, however, there are higher priority risks to be addressed and much more cost effective solutions to addressing those risks. The risk analysis is the tool that you use to prove this.

3) You Lose Meaningful Use / MIPS Money

Although the HIPAA regulations left some leeway as to how often the risk analysis needs to be done, the Meaningful Use / MIPS rules require the security risk analysis be performed or updated during every measurement period – annually.

The costs here are not just loss of the Meaningful Use / MIPS dollars.  A recent analysis I did for a client indicated that their costs of not meeting Meaningful Use / MIPS in 2014 were over $7 million, with about 30 percent of that coming from the 2 percent Medicare reimbursement penalty in FY’16.  The costs of not meeting Meaningful Use / MIPS in 2015 were almost $6 million, with over half coming from the 3 percent Medicare reimbursement penalty in FY’17.

4) You Can Get Hit with Some Significant Fines

I’ve worked with a number of hospitals going through an audit of their HIPAA security practices as a result of a breach and invariably one of the first things they are asked to provide is a copy of the security risk analysis in effect at the time of the breach, and evidence of the steps taken to mitigate the relevant risks. Many of the recently issued fines in breach investigations relate directly to the security risk analysis being either not done or inadequate.

  • Idaho State University recently paid a $400,000 fine as a result of a security breach, in which “OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring. “
  • Adult & Pediatric Dermatology, of Concord, MA recently paid a $150,000 fine as a result of a stolen thumb drive, and during the investigation it was revealed that the practice “had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.”
  • Alaska Department of Health and Human Services recently paid a $1.7 million fine, also as a result of a stolen thumb drive, and again, the settlement agreement notes that “… DHHS had not completed a risk analysis….”

A Security Analysis is Inexpensive Medicine

When you look at the potential costs of not having one, the cost of a good, comprehensive security risk analysis, even if you include the cost of a good consultant to guide it, is money well spent.  The risk analysis serves as preventative medicine, by guiding security efforts before a breach, as diagnostic medicine, by providing a list of issues in your security posture, and as therapeutic medicine, by directly meeting the requirements of the HIPAA and Meaningful Use / MIPS regulations, as well as guiding other remediation activities.

If you feel, like many of our clients, that your organization needs an updated risk analysis effort, contact us. Phoenix consultants have been doing HIPAA security risk analysis for over a decade, and can provide you with cost effective assistance in completing this critical process.

Related Posts