March 13, 2012 
Security risk assessments are gaining a higher profile in the health care field as providers look to prevent data breaches, prepare for government audits and qualify for meaningful use incentive dollars.
A security risk assessment takes stock of an organization’s data protection policies and procedures, with an eye toward identifying weakness and establishing an improvement regimen. This aspect of IT security, although not entirely unknown in health care, has been more prevalent in other regulated industries such as financial services. However, a number of factors are driving interest in risk assessments among hospitals, medical practices and other covered entities under HIPAA.
Consider the following:
- Rising data losses — Breaches of protected health information nearly doubled between 2010 to 2011, according to Redspin‘s 2011 PHI Breach Analysis;
- Government oversight — HHS’ Office for Civil Rights last year kicked off a pilot program in which it will conduct 150 audits to assess health care facilities’ privacy and security compliance; and
- Meaningful use qualification — Hospitals and eligible professionals must “conduct or review a security risk analysis” to qualify for Medicare and Medicaid incentive payments under Stage 1 of the meaningful use program.
“I think there is a lot more risk analysis and risk assessment activity today than there ever was before,” said Mac McMillan, CEO of CynergisTek, a company that provides security services to health care organizations. “But we are still not where we need to be. A lot of the other regulated industries are much more mature,” he said.
Spotty Assessments
McMillan said many health care organizations have yet to embrace risk assessment in an organized and consistent fashion. Part of the problem, he said, is a lack of standards in how such assessments should be conducted. In 2005, HIPAA’s Security Rule issued the health care industry’s first risk assessment requirement, McMillan said. But the rule left a lot to interpretation.
The rule “didn’t provide a lot of guidance around what a risk assessment … should be,” McMillan said.
“One of the things that the health care market has been looking for has been additional guidance as to what these assessments should look like,” said Daniel Berger, president and CEO of Redspin. “The HIPAA Security Rule does talk about lots of different things, but when it comes to the requirements to conduct a security risk assessment and remediate vulnerabilities, it is actually pretty light on specifics.”
As a consequence, risk assessments run the gamut from thorough, enterprise-wide initiatives to limited, single-system checkups. Some facilities have yet to complete an assessment of any kind.
“We still have folks that come to us and say, ‘We have to do a risk assessment for meaningful use,’ and we’ll ask them, ‘When did you do your last one?’ and they’ll say, ‘We’ve never done one,'” McMillan noted.
A Comprehensive Approach
Security consultants recommend a comprehensive approach to risk assessment as the best way to protect PHI. Berger noted, however, that some providers are tempted to narrowly interpret the meaningful use risk assessment directive as focusing strictly on electronic health record systems. He said that’s too limited a scope to achieve the requirement’s security aims.
“If you just concentrate a security risk assessment on [an] EHR [system], you are not going to necessarily include tangential systems — workstations or servers that also have the ability to access the information the EHR provides,” Berger explained.
Accordingly, determining scope is one of the critical elements of a risk assessment, which, depending on the methodology used, may include the following steps:
- Scope definition;
- Review of provider’s security policies and procedures;
- Interviews with key provider officials;
- Technical review, including the scanning and testing of internal systems;
- Identification of vulnerabilities and assessment of their potential impact; and
- Development of remediation strategies.
As for setting the scope, the main considerations boil down to the provider’s goals and the size of its environment. Scope also determines an assessment’s price tag, which can run from $30,000 to $60,000 for a thorough review. Assessments for smaller practices are considerably lower.
Areas to consider include:
- Whether the risk assessment is intended to provide a general review of data security or focus on a particular compliance requirement;
- The boundary for the assessment; and
- If it covers several systems, a portion of a hospital or multiple facilities.
After the scope is defined, an assessment then moves into policy and procedure reviews. If a hospital opts to bring in an outside consultant to run the assessment, it can expect an onsite visit at this point. Berger said his company typically sends out two engineers for two to four days, depending on the size of the engagement.
This policy review stage may involve interviews with a provider’s key players — IT, human resources and finance officers, for example. A technical review, meanwhile, aims to assess system and network vulnerabilities. The two reviews may dovetail. A risk assessment often involves testing systems to determine whether an organization’s stated polices are being followed in actual practice. For instance, a password analysis for a given system will reveal whether employees use weak passwords such as “guest” or observe the health organization’s password strength guidelines, Berger explained.
A report documenting the risk assessment’s findings will follow the onsite review. The report spells out the organization’s vulnerabilities and suggests a mitigation strategy.
“A comprehensive evaluation will likely identify many risks,” said David Finn, health information technology officer at Symantec Corp. “Once identified, you can develop plans and timeframes to reduce these risks starting with those that have the greatest potential for negative impact,” he said.
Finn referred to risk assessment as the first step of risk management, which he described as the ongoing process of identifying risk, developing mitigation plans and executing those plans.
Casting a Wider Net: Business Associates
Another source of vulnerability exists beyond the walls of the health care provider: business associates. Business associates are defined under HIPAA as third parties handling PHI in the course of doing business with a covered entity. Breaches involving a business associate increased 76% from 2010 to 2011, according to the Redspin report.
“Hospitals in the past have generally done a poor job of due diligence with respect to the people they share data with,” McMillan said.
Under HIPAA, providers are required to ink a business associate agreement with each data-sharing partner. A business associate that signs the agreement acknowledges its data protection responsibilities. But the pacts typically don’t detail specific security requirements. What’s more, business associate agreements usually surface when a covered entity and its partner are finalizing a business deal, so the time for vetting has already passed.
“A better solution is to use an independent security questionnaire during the selection/RFP process, which is when you should be vetting the capabilities of the vendor,” McMillan said.
Several companies now offer risk assessment services that assess business associates.
ATMP Solutions, a Michigan-based company that conducts HIPAA compliance assessments, has been using eGestalt Technologies’ tool with smaller practices and business associates. Joe Dylewski, managing partner and owner of ATMP, said business associates are drawn to assessments for two reasons.
“To be a business associate and to have gone through a third-party assessment adds credibility to their business value,” he said, adding, “And they are kind of guided by the large covered entities to get this work done for them.”
CynergisTek, Inc. 