What 500 Security Risk Assessments Reveal About the State of Security in Healthcare

Originally published August 1, 2018 by Carl Kunkleman, SVP and Co-Founder, ClearDATA  at iotevolutionhealth.com

Healthcare technology leaders everywhere cringed when they heard about the data breach at Community Health Systems (CHS) in August 2014 that affected 4.5 million patients and is expected to cost the system an estimated $100 million. The situation hit closer to home than the widely publicized December 2013 Target Corp. incident that compromised 40 million credit and debit cards and the personal information of nearly 70 million customers. While data breaches are indeed crippling to businesses, they are extra hard on healthcare organizations when considering the vast amount of sensitive information consumers trust them with. Penalties can include millions of dollars in fines, loss of patients, credit monitoring, lost productivity, civil and criminal investigations, and damage to institutional and professional reputations.

The key to avoiding an incident like Target’s or CHS’s is to regularly conduct security risk assessments (or SRAs) which are designed to help protect against data breaches or loss of information. By conducting thorough assessments, healthcare providers and business associates can uncover potential weaknesses in their security policies, processes, and systems, and then remedy them before adverse security events can occur. As healthcare organizations race to digitize more and more of the healthcare ecosystem and even introduce new technologies like IoT, machine learning and advanced analytics to yield greater efficiencies and process improvements, SRAs are even more critical to healthcare innovation than ever. 

Each year at ClearDATA, we take stock of several years’ worth of SRAs with our team of security analysts to identify the most commonly occurring gaps. The process inevitably reminds me of that great early ‘70’s anthem, “We Won’t Get Fooled Again.” Too often we see IT departments at hospitals and healthcare technology companies believe they have the correct policies and procedures in place to assure data security compliance…when, come to find out, they actually don’t.

The most common—and dangerous—misconceptions we find every year include healthcare organizations believing their Protected Health Information (PHI) is safe because they have password-protected their computers and handheld devices. White hat penetration testing has proven that passwords are relatively easy to defeat, and we discover time and time again that organizations have not performed reliable PHI checks of where all of their inventory resides. You cannot protect your information if you do not know where it lives, let alone all the different kinds of devices that have access to the data.

SRAs: An Expanding Mandate for Healthcare Innovation
These existential threats to PHI are well-known to regulators, which is why SRAs have been a longtime HIPAA mandate. But now they are also a mandate to participate in the Merit-based Incentive Payment System (MIPS). Specifically, SRAs are one of the core requirements within the Advancing Care Information performance category in MIPs. Moreover, many commercial and private partnership agreements now include security clauses that mandate regular SRAs.

If this isn’t reason enough to conduct one at your own organization, here are a few more vulnerabilities we routinely uncover in the SRA process:

• Poor or no staff HIPAA training (staff doesn’t know what they don’t know).
• Failure to know/follow the 4 factor and 3 exception methodology when there’s a loss of PHI.
• Lack of an Incident Response checklist in the event of a PHI data loss.
• Lack of BAA (business associate agreements) to protect the Covered Entity.
• No regular Patch Management.
• Legacy systems that are beyond end-of-life; we still see Microsoft XP – which hasn’t been supported for years.

If it’s been a while since your last SRA—or maybe you’ve never conducted one you truly felt confident in—why wait until your organization faces a devastating breach before you perform this mandated security exercise? No need to try and do it yourself; in fact, that’s usually one of the biggest drivers of procrastination. Instead, look for a professional that can perform one for you; preferably one who can be a one-stop shop for various managed security services (including for Amazon Web Services, Google Cloud, Microsoft Azure, etc.).

Whether you go DIY or turn to a pro, just get a thorough and professional SRA done. It’s an essential step to protecting your patient data on your path to healthcare innovation.

About the author: Carl Kunkleman, SVP and Co-Founder, ClearDATA, has nearly three decades of consulting experience in pharmaceuticals, diagnostic equipment, medical software and healthcare professional services. Prior to co-founding ClearDATA, Carl launched U.S. Healthcare Compliance, a best-in-class HIPAA security and privacy services company. ClearDATA acquired his company in 2011.

Edited by Ken Briodagh