Part 4 of the Sensato
Healthcare Best Practices Series
Anyone in IT or
cybersecurity already knows that every system is at risk, so why is risk assessment
necessary at all, let alone considered a best practice?
organizations, risk assessments are a requirement under Health Insurance Portability and
Accountability Act of 1996 (HIPAA) regulations.
organization, though, the answer is simple: you don’t know what you don’t know.
helps you find out what you don’t know about your organization’s
vulnerabilities so that you can strengthen your defenses and build your
incident response planning on a solid foundation of knowledge,” says
cybersecurity expert and CEO of Sensato John Gomez.
healthcare-specific cybersecurity solution protects you from hackers and your
own security shortcomings. Learn more
How, exactly, you
choose to conduct your risk assessment is up to interpretation.
According to the Department of Health and Human Services (HHS), HIPAA requires that risk analysis:
likelihood of potential risks to electronic patient health information (e-PHI)
impact of those potential risks
appropriate security measures to mitigate identified risks
security measures, along with the rationale for adopting them
reasonable, and appropriate security measures
reviews of security measures, evaluating their effectiveness
and reevaluate potential risks to e-PHI
Patient Health Data is a Prime Target
As you can see,
HIPAA regulations are focused on patient data, with good reason – credit card
numbers may net hackers 10 to 15 cents apiece; a medical record is worth
anywhere from $30 to $500 – because medical records can be a virtual cornucopia
containing a patient’s full name, date of birth, social security number, and
insurance, billing, and pharmaceutical information.
It’s only logical
that e-PHI would be a prime target for cyberattackers. In 2017, more than 500 patient records affecting
over 4.7 million people were breached at 295 healthcare providers. Data breaches in the healthcare sector cost
upwards of $6 billion per year, with the average cost of a single data breach
topping $4 million, according to IBM and the Ponemon Institute. Additionally,
the average HIPAA settlement fine is $1 million.
And e-PHI is more
ubiquitous than some people may realize. Aside from the obvious repository of
information contained in the actual patient health record, patient information
and patient identifiable information also lives on devices like CAT scanners,
MRIs, monitoring systems, and a myriad other patient care-related machines.
Read about the known and potential threats to
healthcare information and medical device security.
the loss of patient data
probable subsequent loss of reputation and patients – isn’t reason enough to understand the
absolute necessity of conducting risk assessments, there’s a worst-case
scenario that provides the ultimate incentive: a cyberattack that impacts
patient health and safety.
“If someone attacks a medical device
or something in the critical infrastructure sectors, you’re talking about
people’s lives – and you can’t get a life back,” says Gomez.
A Good Place to Start
There’s not anything specific in the
HIPAA regulations focused on protecting patient safety, but following the
basics outlined below is an excellent start:
Identify and characterize each system, device,
a. What is it used for?
b. Who uses it?
c. What data does it use and/or store?
d. Who interfaces with it internally and
e. How do they interface?
f. How and where
does data flow?
g. Who is the *manufacturer?
Define common threats
a. Non-malicious insider misuse of information, unauthorized
access, use of unencrypted devices
b. Malicious unauthorized access
c. Data loss through poor backup procedures,
equipment failure, etc.
d. Disruption of service—including simple
administrative outage, system-specific or system-wide failure, alteration or
interference with operation of health- or life-critical devices, etc.
Assess the impact of common threats
a. High impact—loss of life, e-PHI
b. Medium impact—inconvenient but recoverable
c. Low impact—little to no disruption, no loss of
data or impact on patient care
4. Assess your
controls, ranking each as satisfactory as-is,
satisfactory with recommended modification, partially meets control objective
but needs improvement, or not satisfactory/does not meet any control objective
b. User provisioning
c. User authentication
d. Data protection—digital
e. Data center protection—environmental and
Calculate the likelihood of breach
a. High—vulnerable to motivated and capable
b. Moderate—your controls are sufficient to
c. Low—your controls can prevent an attack and/or
the system or device is not an attractive target
*Every manufacturer and vendor should
also undergo a risk assessment. Per FDA regulations, manufacturers are
responsible for identifying and mitigating risks associated with their medical
devices. That said, every healthcare organization should require certification
from manufacturers and should assess network security to determine how best to
protect systems and data.
“We already know that around 55 to 60
percent of medical devices at any given healthcare organization will be at
end-of-life, meaning that they’re running an operating system that’s no longer
supported or can’t be upgraded or patched,” says Gerry Blass, CEO of
compliance management solutions provider ComplyAssistant and chair of the New Jersey Healthcare
Information and Management Systems Society Privacy, Security, and Compliance
Committee. “Risk assessment is key, so you know if you can update or patch
vulnerable devices, or segregate them from the rest of your network to minimize
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.