- If Paul Revere were alive today, instead of warning, “The British are coming!” he might proclaim to healthcare organizations, “The auditors are coming! Be prepared!”
Although the HITECH Act audit requirement became effective in 2010, the Office of Civil Rights (OCR) has not conducted audits on the scale that was originally anticipated. That’s about to change. For example, in December 2015, OCR announced that three HIPAA covered entities were slammed with monetary settlements collectively totaling over $5 million.
The vulnerabilities found during these audits are common across many organizations. In a report released by the Office of Inspector General (OIG) in September of 2015, healthcare organizations were found to have commonalities in their lack of preparedness for modern security risks, including:
Non-compliance: In almost half of the cases with privacy issues, covered entities were non-compliant with one or more privacy standard; including proper use of protected health information (PHI), and timely safeguard implementation.
Corrective steps are not being implemented correctly: Where corrective action was appropriate, 26 percent of entities did not document these corrections appropriately.
Ironically, many of the very attributes that confer advantages in innovation and open connectivity, also place healthcare organizations at increased risk of breach, including ease of access to diverse data locations, being device-agnostic, systems that allow for flexibility and responsiveness, and mobility programs (including BYOD). This is somewhat understandable in the context of current levels of program development, although far from ideal.
According to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, healthcare organizations typically do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data.
The necessary steps to prevent and mitigate breaches are often neglected by healthcare organizations because they are inherently complex, requiring security-specific skills.
For example, PwC’s Global State of Information Security Survey 2016 found that although there is a “renewed willingness to invest in security,” security compromises attributed to business associates increased 22 percent in the past year, while only 54 percent of organizations have a dedicated CISO in place to manage security.
A HIMSS survey in 2015 found that 81 percent of healthcare organization respondents believe more innovative and advanced tools are needed to combat security threats.
And according to Dell’s Global Technology Adoption Index, only one in four organizations surveyed actually has a plan in place for all types of security breaches.
This reality is borne out in recent findings from OIG. In a recent audit of three Medicaid managed-care organizations (MCOs) in California, OIG found 74 high-risk vulnerabilities in general systems controls cutting across 14 security control areas. The primary vulnerabilities included lapses in access control, configuration management, and security management.
Although seemingly dire, these vulnerabilities are not uncommon among healthcare organizations.
Given the myriad and growing security risks in healthcare, and the threats posed by each separate type of audit and breach risk described in the OIG report covering the three California MCOs, the best approach is both proactive and preventative. Understanding where your vulnerabilities lie, using self-assessment or a maturity model, are critical to gauging the level of risk you face.
In addition, at least three inherent truths must be confronted to improve security posture and raise one’s organizations from the ashes of the recent audit findings, as well as prepare for the inevitability of imminent future audits:
Your security program is obsolete after the first change to your environment
• Develop a rubric for evaluating changes in the healthcare information ecosystem, whether in technologies, applications, support tools, or processes.
• Ensure that every change uses this rubric.
Regulations and standards are only guidelines, and do not inherently ensure security
• Organizations should provide actual remediation to their specific risks.
• Standards are dynamic, and should change with every modification to your environment.
Every organization needs a security incident management plan, which should be periodically tested
• You should know what to do when a security incident occurs to minimize disruption to business, minimize repercussions, and minimizing data loss.
Any approach should be centered around a Strategic Information Security Program, which views compliance as an element of a security program but understands that compliance, in and of itself, does not include the processes to ensure continuous security. It is a cross-departmental effort that includes:
- An identity and access management strategy that pays close attention to privileged users and governance
- Utilization of encryption to meet regulatory burden as well as a tool to control access to data
- A network security strategy that embraces the complexity and inspection requirements of the healthcare environment
- Security awareness training that educates users, administrators and partners
- Security assessments (initial and each time the infrastructure changes or a new IT project is initiated)
- A risk analysis and risk management program in order to prioritize risks and implement a plan for mitigating the risks according to their priority
- An incident response plan that is tested regularly and includes a contingency plan to ensure availability of critical information while a breach is occurring
In the case of cybersecurity, structuring security as a priority, and using a combination of the right tools, policies and enforcement, healthcare organizations can better minimize cyber risk and the devastating costs that accompany a data breach; and in the process, prepare for the looming cloud of increased audits.
Keith Tyson is a healthcare security consultant with Dell Healthcare and Life Sciences. He has more than 14 years of experience managing medical supplies development and commercialization, oncology program strategy, software innovation and development, and providing thought leadership to the data security community.