- It’s no secret by now that how healthcare organizations create their risk management programs and manage their business associates (BAs) can have a big impact on their data breach preparedness. But how are organizations doing in terms of risk management these days? HealthITSecurity.com spoke with intelligence and risk management firm Stroz Friedberg’s Security Science Vice Presidents Dave Dalva and George McBride to learn more about healthcare client trends and current concentrations.
Dalva said that, from a high level, clients across a variety of industries struggle with implementing a mature information security risk management program while performing their everyday tasks. Some cross-industry clients are proactive and others are reactive, but in healthcare HIPAA audits are starting to raise awareness within the sector. McBride concurred, adding that acquisitions also make compliance more difficult for providers.
… those audits really changed a lot of the healthcare companies’ perspectives and really said, “Hey, this is real. This is not just a regulation. This is something that I need to be compliant with and need to be proactive in.” [And] in healthcare I tend to see a little bit more on the acquisition side and I know a lot of the healthcare companies really struggle as they acquire companies small or large, fully compliant or having a less mature program, as they bring those companies on board, struggling to quickly get them aligned and compliant.
Both Dalva and McBride agreed that the HIPAA foundation is pretty strong for providers when building their security and risk management programs, but sometimes the problem of sufficiency arises. “A lot of organizations or some organizations tend to think that compliance is sufficient, so once they’ve achieved that level of compliance they can start to focus on other efforts,” McBride said. “But compliance doesn’t always equal security.”
The concept of HIPAA compliance being “good enough” can present major issues for an organization dealing with today’s latest external threats. From a risk management process perspective, Dalva said that compliance is only one input to a risk management process.
[Risk management] includes lots of other things, like preview the risk, understanding business priorities and goals, looking to see how well you’re implementing, how well the operational environment is implementing the goals of the organization, and that the ability to adapt to changes to the business and changes to the threat environment, which George alluded to, is all key.
Business associate effects
Another part of any healthcare provider’s risk management program these days should be BA relationships and assessments. McBride said that he had previously seen more of a relaxed, hands-off approach to BA management, but now Stroz Friedberg is starting to see is a lot more due diligence from the covered entity looking at the actual business associate agreement (BAA) itself. This includes going on-site, doing assessments, doing audits, looking for that third party assessment. “Making that statement that compliance doesn’t always equal security, taking it to the next level and starting to look at your business associates,” McBride said.
Dalva added that he think ultimately where things break down on the value chain is less important than the fact that there was a breach.
If your company is somewhere along that value chain, whether you’re a covered entity, or whether you’re a business associate, it doesn’t really matter. If you don’t have the executive buy-in, if security becomes an IT problem, then you have issues, right? But if security is a problem, then you get a lot more proactive approaches to it.
McBride said providers must look for the data within the organization as part of a risk management program, and specifically understand why the data life cycle is important.
You need to know what assets you need to protect, but truly understanding where what data they have within their organization, be it in the data warehouse or individual silos is something that organizations, time after time, miss because they think they’ve got it all and then there’s another fork in the road where data splits off or there’s some other source that they weren’t aware of.