- Healthcare risk management is an increasingly critical area as cybersecurity threats continue to evolve. Regardless of an organization’s size, it needs to ensure that the right policies, procedures, and tools are in place so staff members can properly protect PHI.
Research is showing that more entities are focusing on cybersecurity, but malicious threats will also continue to become more intricate.
For example, the second annual HIMSS Analytics HIT Security and Risk Management Study found that more organizations are spending their IT budget on cybersecurity. Specifically, 24 percent of surveyed healthcare executives, C-Suite members, business and IT leaders, and clinical leadership said they spent 7 percent to 10 percent of their IT budget on cybersecurity in 2016. Only 10 percent reported doing so in 2015.
IT budgets and staffing issues were listed as the biggest barriers to having stronger healthcare cybersecurity programs, the survey showed.
There is often disagreement between the “business” and IT sides in healthcare. For instance, clinical and business respondents tend to have higher confidence in their organization's cyber attack preparedness than their IT and security counterparts, according to the survey. Furthermore, business leaders more commonly view cybersecurity as a business risk issue, whereas clinical and IT leaders view it as a HIPAA compliance issue.
Even so, healthcare organizations can work toward creating stronger risk management programs by focusing on three main areas.
A trained and educated cybersecurity staff, an updated cybersecurity framework, and a thorough risk assessment process are three key ways for healthcare organizations to create stronger risk management.
Employing the right cybersecurity staff
The increasing amount of cybersecurity threats further underlines the fact that healthcare providers need staff members who have a background in data security and have been properly trained.
Data security training is necessary for combatting ransomware attacks and other cybersecurity incidents, OCR stressed in its July 2017 Cybersecurity Newsletter. This is also a critical aspect of the HIPAA Security Rule, the agency noted.
“The Security Rule specifically requires covered entities and business associates to ‘implement a security awareness and training program for all members of its workforce (including management),’” OCR wrote. “Note the emphasis on all members of the workforce, because all workforce members can either be guardians of the entity’s PHI or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.”
Employee training and education programs need to be ever-evolving, adjusting as necessary to combat the increasingly complex cybersecurity threats. Entities should review their daily operations, the size of the organization, and the types of technologies utilized on a regular basis. From there, it will be easier to determine how often training should take place and when it should be updated.
“Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants [should be considered],” OCR said.
Hiring individuals with the necessary cybersecurity background is also important, but recent research has shown that this is not an easy thing for healthcare providers to do.
Both the federal government and the private sector frequently face a cybersecurity talent shortage, according to an April 2017 Government Accountability Office (GAO) report.
“Cybersecurity professionals can help to prevent or mitigate the vulnerabilities that could allow malicious individuals and groups access to federal IT systems,” report authors wrote. “The ability to secure federal systems depends on the knowledge, skills, and abilities of the federal and contractor workforce that uses, implements, secures, and maintains these systems.”
Organizations need to set the strategic direction for IT workforce planning, analyze the workforce to identify skill gaps, and develop strategies and implement activities to address those gaps, GAO advised. Entities must then monitor and report progress in addressing the gaps.
Incentives payment options (i.e. recruitment, relocation, and retention) can also help attract the right talent. Student loan repayments, annual leave enhancements, and scholarships were also suggested to help find cybersecurity workers.
Implementing a cybersecurity framework
Healthcare organizations should also implement a cybersecurity framework to ensure that they can properly monitor networks and devices that connect to those networks.
While not a federal requirement the same way as HIPAA regulations and the HITECH Act, providers can utilize frameworks to help them adopt the right controls to work toward interoperability, perform risk assessments, and ensure medical device security.
Eighty-six percent of healthcare IT leaders said they are using at least one or more security framework, according to the 2017 HIMSS Cybersecurity Survey. The NIST CSF is utilized by 62 percent, while 25 percent cited HITRUST, and 25 percent also said they use ISO.
When an organization has a CISO or other senior information security leader in place, 95 percent of respondents said they use the NIST Cybersecurity Framework with its core functions of identify, protect, detect, respond, and recover.
The NIST CSF was first published in February 2014 – under a presidential executive order direction – and was last updated in January 2017.
The updated version is meant “to refine and enhance the original document and to make it easier to use,” Matt Barrett, NIST’s program manager for the Cybersecurity Framework said in a statement. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
HITRUST’s framework is another common choice for healthcare organizations, and includes federal and state regulations, standards, and frameworks, helping facilities cross-reference existing, globally recognized standards, regulations and business requirements.
The most recent HITRUST CSF version was set to be released in August 2017, and would also address NIST CSF requirements. A single assessment will include controls to address the NIST CSF and there will be a report to display the HITRUST CSF controls through the NIST CSF Core Subcategories lens.
“By incorporating the NIST Cybersecurity Framework into the HITRUST CSF and establishing a certification mechanism as part of the CSF Assurance program, organizations now have a effective and efficient approach for reporting an organization’s cybersecurity posture leveraging the NIST Cybersecurity categorization,” Blue Cross and Blue Shield of Minnesota Vice President and Chief Information Security Officer Jason Newman said in a statement.
Creating a comprehensive risk assessment process
Risk assessments help providers stay HIPAA compliant in their safeguards and also show potential areas where organizations may be putting PHI at risk.
Healthcare entities need to evaluate the likelihood and impact of potential risks to ePHI, implement appropriate security measure to address those risk areas, and document the security measures, according to HHS. The reasons why an organization would adopt those measures must also be documented.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS states on its website.
Organizations can work toward a stronger approach to overall risk management when they have a proper understanding in which areas potential risk lies.
For example, if a hospital starts to allow employees to use personal devices for communications, sensitive information may now be on those devices. The hospital may want to consider a mobile device management (MDM) system that has remote wipe capabilities. That way if a device becomes lost or stolen, sensitive data will not necessarily fall into the wrong hands.
Healthcare organizations can also seek assistance from federal agencies and groups to help them in their risk assessments.
HITRUST created a Threat Catalogue to help entities garner a better understanding of cybersecurity risk management to view potential risk areas and keep data secure.
“In addition to the HIPAA-required risk analysis used for control selection, the Threat Catalogue can also facilitate many other types of risk analysis,” HITRUST explained. “Examples include the supplemental risk analyses used to tailor a control baseline to the unique needs of an individual organization or the more targeted risk analyses used to evaluate alternate or compensating controls as well as formal risk acceptance.”
No organization can guarantee that it will never be breached, but a proper approach to risk management will lessen the likelihood. When staff members also know how to react following a security incident, the damages may not be as devastating.