- Without a current and thorough healthcare risk management plan, covered entities of all sizes will have a more difficult time reacting to, and recovering from, a data security incident.
Risk assessments are an essential part of that as well, and building a remediation plan around the assessment results will go a long way in helping organizations create a strong approach to mitigating risk, according to KPMG Partner Michael Ebert.
Risk assessments are so important because they help show organizations where there are potential gaps in data security, Ebert told HealthITSecurity.com. Once you have a root cause analysis, then you can start to build a remediation plan.
“The gaps are nothing more than an illness. They are a symptom of something that’s wrong,” Ebert explained. “It’s nothing different than having a fever. A fever can be viral, it can be bacterial, but you’ve got to do other work to figure out what that cause is.”
Ebert added that KPMG typically sees cases of an organization realizing it doesn’t have good access management, it doesn’t update its systems on a regular enough basis, or that it doesn’t have good incident response.
“The law is very specific. Do an assessment. But it doesn’t say you have to remediate right away,” he maintained. “It says you have to mitigate those risks that you identify and develop a plan to remediate. And that plan can be three to five years out.”
It’s important to make sure that the remediation plan is properly implemented, otherwise a healthcare organization could have a more difficult time down the road should a breach occur and an OCR investigation reveals privacy and security shortcomings. For example, Ebert pointed to Corrective Action Plans that require facilities to redo their risk assessment because it was either incomplete or not completed properly.
“Maybe they haven’t created a proper action plan, they haven’t created a mitigation plan, they haven’t created any monitoring program to monitor how those controls are doing or how secondary controls are put in place,” Ebert explained. “It’s being detective and not preventive, so you’ve got gaps.”
The need for strong medical device security
One key area that has increased in importance as more healthcare organizations become interconnected is medical device security. More covered entities are also implementing internet-connected devices, so they need to ensure that all of those devices are properly secured, according to Ebert.
“It’s tough,” he acknowledged. “We commonly see the Internet of Everything we call it: cell phones, TV sets, blu-ray players, and medical devices. They are all interconnected and you have to understand it’s all about the architecture.”
Ebert added that organizations need to know what a device doing, where is it located, and how they plan to secure that signal on the network. It is also important to know how to create a network security architecture.
“We connect things for simplicity, for the flow of information,” he explained.
For example, maybe a provider uses a device and pulls in respirator pump information, or all of the clinical data from infusion pumps. This is done with the goal of improving the quality of care. However, if that data stream is unsecured, then that facility is potentially contaminating its entire system.
The recently released FDA guidance on medical device security is also a step in the right direction, according to Ebert.
“The first phase was a little broad, but the new guidance is about understanding how you need to create interoperability but also the classification of that data and security of that data.”
It will take time for the healthcare industry to make significant progress in that area, Ebert predicted. Even so, providers and other industry stakeholders are becoming smarter about data security and understand to take it seriously.
For example, more CEOs and board-level executives are becoming more aware of potential risks.
“They’re asking the right questions. They’re asking the important questions,” Ebert explained. “It’s an ability to understand it is another question. You’re going to see more and more boards better understand how they need to get not only an IT professional on board, but also a cybersecurity and risk and compliance professional.”
Another benefit is that more colleges and universities are creating cybersecurity programs, which only benefit the healthcare industry in the long-run.
Learning from past data breaches to prepare for the future
While 2015 was “the year of the data breach” to many industry professionals, Ebert cautioned that the number of healthcare data breaches is only going to increase.
One of the main reasons being that there is a shortfall in healthcare in its ability to address the increasing amount of cybersecurity threats, he said.
“There’s not enough talent out there,” Ebert maintained. “But, academia is responding well, and is adding programs around cybersecurity. Now we need to mature those people and get them experience. Resources are going to be key.”
With the right experience and the right knowledge permeating throughout the industry, it will improve, he said.
“The cybersecurity industry in healthcare needs time to mature,” Ebert stated. “There’s going to be mistakes made and how people are reacting [to incidents], and what level of effort they’re putting into it. It’s going be a long haul, not a quick fix.”
Healthcare has focused largely on patient-centered care, which is great, Ebert said. However, security can no longer be an afterthought.
“It’s got to be built in, that’s why it’s going to take time. We really can’t truly improve it until we build it from within. That’s a mindset change.”
Ebert also reiterated the importance of incident response, adding that it is not a matter of an organization will be hacked, but a matter of when.
“Some of the major breaches last year were handled very well, for how people were notified,” he said. “And then you see how others acted, and they clearly didn’t have a good incident response package.”
A poor incident response plan can easily lead to more conflict for a healthcare organization, such as class-action lawsuits or investigations and fines from a number of governmental agencies.
“That’s disruptive. Meanwhile, need to run the business and improve,” Ebert explained. “It will delay you by years and cost you hundreds of millions of dollars that could be better focused in the organization. You can better focus your time, money, and resources to improving your program.”