With cybersecurity threats becoming more sophisticated each day, healthcare organizations must implement necessary policies and procedures to keep sensitive data secure. A current and comprehensive healthcare risk management plan is a key component for maintaining data security.
Healthcare risk management involves entities ensuring all of their activities, processes, and policies are working to reduce liability exposure. Conducting risk management activities will help organizations keep patients safe and also ensure financial stability.
Healthcare organizations are becoming more aware of the importance of managing their risk and how risk assessments, or the lack thereof, could potentially impact their business as a whole.
The 2017 HIMSS Analytics HIT Security and Risk Management Study found that 71 percent of healthcare clinical leaders believe that risk assessments were the key driver for decisions on where to invest in IT security.
The HIMSS study also showed that the percentage of healthcare executives who spend 7 percent to 10 percent of their IT budget on cybersecurity increased from 10 percent to 24 percent from 2015 to 2016.
This is a positive change from an earlier 2017 KLAS Research and College of Healthcare Information Management Executives (CHIME) study. That research found that 41 percent of CISOs, CIOs, CTOs, and other security professionals have dedicated less than 3 percent of their IT budgets to security. Eighteen percent of respondents said they have more than 7 percent of their IT budget focused on security.
More organizations seem to be taking note of the importance of investing into cybersecurity, and how such investments can help entities prevent, detect, and mitigate potential threats.
Making the necessary investment into security is just one small aspect of a thorough approach to healthcare risk management. Organizations will also need C-suite support, a proper risk assessment, and an applicable cybersecurity framework to support ongoing improvements.
A risk assessment as part of the risk management plan
Conducting a risk analysis is part of the administrative safeguard requirement under HIPAA regulations. HHS requires that covered entities evaluate the likelihood and impact of potential risks to e-PHI, implement appropriate security measure to address those risk areas, and document the security measures.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS states on its website.
The risk analysis should review areas in which there is potential risk to the organization, such as PHI exposure. For example, covered entities should consider where all PHI is created, received, maintained or transmitted.
Additionally, changes should be made as new technologies are introduced. New tools (i.e., connected medical devices, cloud storage) could affect where ePHI is stored.
“Risk assessments, whether the synonymous risk analysis or often mistaken controls gap assessment, are integral components of the risk management lifecycle,” HITRUST VP for Standards and Analytics Bryan Cline explained to HealthITSecurity.com. “Risk management cannot be done effectively without either.”
A controls gap assessment provides organizations with an approach to managing information security risk through the design, implementation, monitoring/assessment, review and improvement of security controls, according to HITRUST.
HITRUST VP of Assurance Strategy and Community Development Michael Parisi told HealthITSecurity.com that organizations need to consider risks that are actually applicable to their operations. It is not beneficial to assume that there is certain risk.
Risk assessments, whether the synonymous risk analysis or often mistaken controls gap assessment, are integral components of the risk management lifecycle.
For example, a small healthcare provider may not allow its two physicians to utilize BYOD. In that case, there would not be ePHI stored on the physicians’ personal devices because they do not use them for work purposes. Many organizations are concerned over mobile device security and may have it listed as a top risk.
“There's this concept of inherent risk and residual risk,” Parisi stated, adding that entities must take care in reviewing what could actually bring harm to their organization. “A risk assessment really needs to include both components of that. Inherent risk could be not only security, privacy, and compliance related but it could be environmentally related as well, such as with business continuity planning and disaster recovery.”
Organizations also need to consider future strategy components, Parisi added. Entities must remember that risk management – and the associated risk assessment – should be ever-evolving. Things will happen farther down the road, whether an acquisition or new technology is added, and associated potential risk will subsequently change.
Ensuring C-suite support for stronger risk management
Without strong C-suite support, it will be very difficult to craft the right risk management plan, make necessary investments, and ensure overall data security.
Research has shown that there can be disagreements between the “business” and IT sides in healthcare. In the HIMSS Analytics HIT Security and Risk Management Study, clinical and business respondents had higher confidence in their organization's cyber attack preparedness than their IT and security counterparts. Business leaders also were more likely to see cybersecurity as a business risk issue, whereas clinical and IT leaders said it was a HIPAA compliance issue.
Chief Information Security Officers (CISOs) may be able to bridge this gap as their roles evolve, says Symantec Health IT Officer David Finn, CISA, CISM, CRISC.
“The next evolution [in healthcare] will be adopting this as a business risk model and getting security people who understand not only the technical security but the business needs and requirements,” he said.
Finn added that CISOs should be able to talk about business risk with their Chief Financial Officers (CFOs). CFOs are going to understand the financial impact if an organization can’t see patients for half a day because of an outage from ransomware.
“If you don't have a good, skilled CISO who has high emotional intelligence, can tell a story, and has high personal integrity, it will be difficult,” agreed Tufts CISO Taylor Lehmann. “People sometimes struggle describing or involving the need for cybersecurity risk management. And what ends up happening is it doesn’t get the attention it needs.”
However, finding the right cybersecurity leader is not an easy task. Eighty-four percent of healthcare organizations do not have a cybersecurity leader, according to results from a Q4 2017 Black Book survey.
Cybersecurity has to be a top-down strategic initiative as it's far too difficult for IT security teams to achieve their goals without the board leading the charge.
Out of the 323 strategic decision makers at US healthcare organizations who were surveyed, over half of all payers and providers said they do not conduct regular risk assessments.
Nearly all respondents – 92 percent – added that potential data breach threats and cybersecurity itself are still not key focus areas for their boards of directors.
"The low security posture of most healthcare organizations may prove a target demographic for which these attacks are successful," Black Book Managing Partner Doug Brown said in a statement. “Cybersecurity has to be a top-down strategic initiative as it's far too difficult for IT security teams to achieve their goals without the board leading the charge."
Healthcare organizations need to find strong cybersecurity leadership and then ensure that data security is part of the training process for employees at all levels.
Choosing the right cybersecurity framework for better risk management
Cybersecurity frameworks are quickly becoming a necessity for healthcare organizations looking to instill a strong data security approach. These frameworks can also help entities better understand how to approach risk management.
More healthcare organizations are utilizing cybersecurity frameworks. The previously mentioned HIMSS Analytics study found that 61 percent of respondents use the NIST Cybersecurity Framework (CSF), 36 percent utilize HITRUST, and 36 percent said that they use Information Technology Infrastructure Library.
Each framework is slightly different, and organizations should opt for one which is applicable to their operations.
Tufts uses HITRUST, Lehmann said. No framework is perfect, and HITRUST itself is not perfect, he noted. But HITRUST has gone deeper in some of its explanations, which can be beneficial for healthcare in that it will have a better understanding of how security standards will be applicable.
“HITRUST has actually gone down and said, ‘Well, this is what secure wireless means,’” he explained. “Some of them have a great framework with great controls and they tell you what to do, or at least they tell you what the minimums are. Some are light on the detail. Others are heavy on the detail and they have other trade-offs.”
It is also a lot of work and costs money to implement cybersecurity frameworks.
“For an organization with maybe 10 or 15 people or a small physician practice, going down the HITRUST path would be extremely wasteful,” Lehmann said. “It would require huge amounts of work for little value. You have to think about all of that when you pick a framework and you try to figure out what’s best for the organization.”
Both HITRUST and NIST CSF controls can be adjusted depending on the size, complexity and type of organization. The NIST CSF was first published in February 2014 under a presidential executive order, and was last updated in December 2017.
Chris Reffkin, senior manager and leader of information security services in the Crowe Horwath LLP Technology Risk Consulting group, says that healthcare organizations should pick a cybersecurity framework that will help them in the long run.
“It’s important to stay the course and not get too excited about different things popping in or start becoming threat-focused instead of risk-focused,” Reffkin said, explaining that there should be a larger umbrella that encompasses the entire approach to risk.
For example, some organizations will write all of their policies related for HIPAA as their information security program. However, entities eventually realize that the information security and privacy program should be the overall umbrella.
“HIPAA should be one of those little arms coming off the umbrella,” Reffkin said. “And PCI should be one of those little arms coming off. Meaningful use should be one of those little arms coming off. It shouldn’t encompass everything being done.”
Cybersecurity frameworks are beneficial because they give guardrails to follow so organizations are not going too far off their main mission of keeping patients safe, protecting information, and protecting the organization, he added.
“They’re really useful in giving you that middle line to follow and in understanding how to incorporate other requirements as they pop up,” Reffkin said.
Reminders for risk management planning
Healthcare risk management must be an ever-evolving process. Covered entities and business associates cannot assume that their risk will remain the same over time. Cyberattacks will continue to become more sophisticated, and healthcare organizations must ensure that their data security approach will grow as well.
Here are key things to keep in mind when crafting a healthcare risk management plan:
- Do reinforce cybersecurity as an important topic at all levels: the C-suite down to regular employees should be properly trained/educated
- Do conduct regular risk assessments, risk analyses, and adhere to HIPAA requirements
- Do proper research before implementing a cybersecurity framework: pick one that is applicable to the organization
- Do not ignore accountability: it must be clear how security is supported at all levels.
- Do not underestimate benefits of information sharing and collaboration.
Organizations must ensure that they are supporting security from the top down. From there, it will be much easier to create comprehensive risk management.