Part 4 of the Sensato Healthcare Best Practices Series
Anyone in IT or cybersecurity already knows that every system is at risk, so why is risk assessment necessary at all, let alone considered a best practice?
For healthcare organizations, risk assessments are a requirement under Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations.
For every organization, though, the answer is simple: you don’t know what you don’t know.
“Risk assessment helps you find out what you don’t know about your organization’s vulnerabilities so that you can strengthen your defenses and build your incident response planning on a solid foundation of knowledge,” says cybersecurity expert and CEO of Sensato John Gomez.
A healthcare-specific cybersecurity solution protects you from hackers and your own security shortcomings. Learn more about MD-COP.
How, exactly, you choose to conduct your risk assessment is up to interpretation.
According to the Department of Health and Human Services (HHS), HIPAA requires that risk analysis:
· Evaluate the likelihood of potential risks to electronic patient health information (e-PHI)
· Determine the impact of those potential risks
· Implement appropriate security measures to mitigate identified risks
· Document those security measures, along with the rationale for adopting them
· Maintain continuous, reasonable, and appropriate security measures
· Conduct regular reviews of security measures, evaluating their effectiveness
· Regularly review and reevaluate potential risks to e-PHI
Patient Health Data is a Prime Target
As you can see, HIPAA regulations are focused on patient data, with good reason – credit card numbers may net hackers 10 to 15 cents apiece; a medical record is worth anywhere from $30 to $500 – because medical records can be a virtual cornucopia containing a patient’s full name, date of birth, social security number, and insurance, billing, and pharmaceutical information.
It’s only logical that e-PHI would be a prime target for cyberattackers. In 2017, more than 500 patient records affecting over 4.7 million people were breached at 295 healthcare providers. Data breaches in the healthcare sector cost upwards of $6 billion per year, with the average cost of a single data breach topping $4 million, according to IBM and the Ponemon Institute. Additionally, the average HIPAA settlement fine is $1 million.
And e-PHI is more ubiquitous than some people may realize. Aside from the obvious repository of information contained in the actual patient health record, patient information and patient identifiable information also lives on devices like CAT scanners, MRIs, monitoring systems, and a myriad other patient care-related machines.
Read about the known and potential threats to healthcare information and medical device security.
If the loss of patient data – and probable subsequent loss of reputation and patients – isn’t reason enough to understand the absolute necessity of conducting risk assessments, there’s a worst-case scenario that provides the ultimate incentive: a cyberattack that impacts patient health and safety.
“If someone attacks a medical device or something in the critical infrastructure sectors, you’re talking about people’s lives – and you can’t get a life back,” says Gomez.
Risk Assessment: A Good Place to Start
There’s not anything specific in the HIPAA regulations focused on protecting patient safety, but following the basics outlined below is an excellent start:
1. Identify and characterize each system, device, and network
a. What is it used for?
b. Who uses it?
c. What data does it use and/or store?
d. Who interfaces with it internally and externally?
e. How do they interface?
f. How and where does data flow?
g. Who is the *manufacturer?
2. Define common threats
a. Non-malicious insider misuse of information, unauthorized access, use of unencrypted devices
b. Malicious unauthorized access
c. Data loss through poor backup procedures, equipment failure, etc.
d. Disruption of service—including simple administrative outage, system-specific or system-wide failure, alteration or interference with operation of health- or life-critical devices, etc.
3. Assess the impact of common threats
a. High impact—loss of life, e-PHI
b. Medium impact—inconvenient but recoverable
c. Low impact—little to no disruption, no loss of data or impact on patient care
4. Assess your controls, ranking each as satisfactory as-is, satisfactory with recommended modification, partially meets control objective but needs improvement, or not satisfactory/does not meet any control objective
a. Administrative
b. User provisioning
c. User authentication
d. Data protection—digital
e. Data center protection—environmental and physical
5. Calculate the likelihood of breach
a. High—vulnerable to motivated and capable attacker
b. Moderate—your controls are sufficient to thwart attackers
c. Low—your controls can prevent an attack and/or the system or device is not an attractive target
*Every manufacturer and vendor should also undergo a risk assessment. Per FDA regulations, manufacturers are responsible for identifying and mitigating risks associated with their medical devices. That said, every healthcare organization should require certification from manufacturers and should assess network security to determine how best to protect systems and data.
“We already know that around 55 to 60 percent of medical devices at any given healthcare organization will be at end-of-life, meaning that they’re running an operating system that’s no longer supported or can’t be upgraded or patched,” says Gerry Blass, CEO of compliance management solutions provider ComplyAssistant and chair of the New Jersey Healthcare Information and Management Systems Society Privacy, Security, and Compliance Committee. “Risk assessment is key, so you know if you can update or patch vulnerable devices, or segregate them from the rest of your network to minimize risk.”
MD-COP will secure your data, devices, and network from targeted and “side effect” attacks. Act quickly.
