April 24, 2014
In previous posts, I discussed the security risk analysis process and described the limitations of the OCR security analysis tool in documenting actual threats to electronic Protected Health Information (ePHI). When I talk to hospitals, most understand the value of a risk analysis, but they don’t have a good sense for what threats they should be including. What I generally recommend (aside from hiring a good consultant) is that they start with some known realities.
Many facilities are very quiet about security and privacy breaches, as they don’t want the bad publicity that comes from a breach. Nevertheless, the risk analysis is the perfect time to talk about the breaches that have already happened to your organization since the breaches came about as a result of specific threats that are already known. Even if you’ve closed the security gap that caused the breach, it is still important to document the existence of the threat and the counter-measures you’ve implemented. Aside from the organizational value of having a complete list of threats addressed and documenting your action, you would not want an additional breach to happen and the underlying threat not be included in your risk analysis – that in itself would be a compliance issue.
The same line of thinking about known breaches can be extended to known issues that affect the availability and integrity of medical records. Is your facility located in an earthquake zone, tornado zone, or flood zone? If so, those are definite threats to the availability of your ePHI. One former client had signs of obvious water damage in the server room. When I asked, it turns out that the room had flooded three times in the past two years. After three times, it’s not a risk anymore – it’s a certainty that simply must be addressed.
HHS provides a goldmine of threat data on its website that can be very helpful in formulating a list of common threats. The HITECH Act requires HHS to post a list of breaches of unsecured, protected health information affecting 500 or more individuals.
A recent analysis of the data from 981 breaches from the database shows that half of them were the result of theft. Laptops accounted for a large portion of the thefts, with 209 of the breaches stemming from unencrypted laptops that were lost or stolen.
HHS recently published two large penalties for organizations with breaches of patient data when laptops were stolen. Concentra Health Services, a national occupational health network, paid OCR $1,725,220 as part of a settlement of a breach that occurred when an unencrypted laptop was stolen. Concentra, incidentally, had already recognized the danger and 434 out of their 597 laptops had been encrypted as part of a prior project. QCA Health Plan was also fined $250,000, as a result of an investigation of unencrypted laptop theft, this one involving 148 patients.
Laptops aren’t the only portable device to show up in loss and theft statistics — 108 of the 981 breaches listed by HHS, involved “Other Portable Electronic Devices,” a category which includes backup media, hard drives, and medical equipment like ultrasound machines, as well as tablets and smartphones.
By way of contrast, hacking was involved in 68 of the incidents, and improper disposal in only 41.
As I wrote in a recent interview issues caused or helped along by actions of members of the workforce are always problem to be dealt with. Three examples I cited involve a laptop left on the subway, a laptop stolen through a door that was left open, and protected health information that was attached to an email. Other examples I’ve seen in my work with hospitals across the country include:
Of note, all five examples were of behavior that almost certainly wasn’t allowed by policy. The breaches occurred because employees didn’t follow rules. Non-compliance with instituted policies is a definite threat that needs to be included in your lists of threats and considered when evaluating the effectiveness of the countermeasures at reducing risk.
Assembling a complete list of threats as the starting point of a risk analysis can be a daunting task. Your own organizational history and data from the HHS “wall of shame” provide good starting points. You should also pay particular attention to the risks surrounding laptops, computer media, and other portable devices, and also address human factors.
If you need additional guidance in assembling your threat list, Phoenix consultants have been assisting our clients with the risk analysis process for over a decade. Contact us to discuss your needs.