S2 E5: The Value of Risk Assessments in Healthcare

The Value of Risk Assessments in Healthcare

Transcript

Jordan Eisner: Okay, welcome back. This is Jordan Eisner, your host for Compliance Pointers, a dedicated podcast for information security, data privacy, and regulatory compliance. I’m the VP of Sales with Compliance Point, as most of our listeners probably know by this point. And most of you probably know Carol Amick, our Director of Healthcare Services, back for the third time here on the podcast. Carol, good to have you with us.

Carol Amick: Thank you, Jordan. Good to be here.

Jordan Eisner: And for those that haven’t heard of Carol podcast before in the past, she’s been with the organization for what now, Carol? Five years?

Carol Amick: Yeah, going on six now, yeah.

Jordan Eisner: Going close to six. She’s the Director of our healthcare practice. She’s a HIPAA and HITRUST guru. She’s spent time working on the client side as VP of Compliance. She’s worked for KPMG and other big consulting firms. Not too long, but long history of success and expertise in the healthcare space. So excited to have her back.

Today we’re going to be talking about healthcare organizations. Might say those providing care, covered entities, but also maybe business associates as well. And their need to conduct a risk assessment. And I assume maybe we’re talking about security risk assessment, but Carol, maybe you’ll add some color on that. And how you can go about getting an assessment done.

So let’s start there, Carol. First and foremost, risk assessment, thrown around a lot. Talking about HIPAA here, right? What is it?

Give us an overview. What’s the requirement? Who’s it applied to? What should I know about a risk assessment if I’m in an organization that HIPAA is applicable to or I provide services to an organization that HIPAA is applicable to so that brings me into the fold.

Carol Amick: Yeah, so if you are a healthcare provider or a business associate, someone who provides services to healthcare, you are expected to comply with the HIPAA Security Rule. And if a security rule requires that organizations do an annual risk assessment to identify and address risk to protected health information or EPHI that they have under their control.

And so the risk assessment really is a system of analyzing your environment, your risk, and looking at your control environment to see if you have adequately addressed risk related to that PHI.

Now risk assessment is not going to make you bulletproof and make sure you don’t never have a breach or you never have a problem, but it does show that you’re making a really good faith effort to protect the data. And that’s very important to the Department of Health and Human Services that oversees the risk assessment process.

Jordan Eisner: So I’m going to say the way I’ve thought of it and you tell me if that’s just stupid or if maybe it’s the right way to think about it as a company is that you need to understand organizations from a HIPAA standpoint have different policies, they’ve got procedures, they’ll have technical controls they put in place to protect PHI. And so you need to understand based on your business, your complexities, your scope, your focus, what are the threats to that PHI, where our vulnerabilities might exist. And that informs where you put controls in place is not to your point just about complying with HIPAA, but the risk assessment it may be is where are the most meaningful areas to put controls in, right, to limit or mitigate risk associated with it.

Maybe not necessarily 100% compliance, which we’re not advocating for you not to be 100% compliant, but where can we get the most bang for our buck in terms of reducing risk with PHI?

Carol Amick: Yeah, the way we do our risk assessments is we prioritize it based on the likelihood and the impact of the threat.

So let’s use phishing as an example. We all know that phishing right now is a very high likelihood impact that you’re going to get a phishing email. If you haven’t gotten one, you’re just probably not really checking your emails closely. The phishing is also one of the most likely methods for a bad actor to get into your system because somebody is going to click on that email and now that bad actor is in your system watching keystrokes, et cetera.

So the likelihood of a phishing attack happening is high, and the impact of a phishing impact attack could be also very high depending on how long that bad actor is allowed to stay in your system, what they can see, what they can do. So that would be a high-priority thing that we would recommend when you do your risk assessment. If you don’t have good controls there, that goes into your thing you focus on first and work towards that. So that helps you once you do your risk assessment, figure out what the next steps are with the risk you’ve identified.

Jordan Eisner: Correct me if I’m wrong, but the HIPAA rule might not even say anything about phishing, right? It might predate that.

Carol Amick: Yeah. One of the things you need to do when doing a risk assessment is not just look at the HIPAA security rule. The HIPAA security rule was written before email. It was written when encryption was incredibly expensive and difficult. It has not been updated in over 10 years.

So you really want to look at the risk to your environment now. Do not focus solely on the HIPAA Security Rule because that’s probably not addressing a lot of the risk we currently see.

Jordan Eisner: It’s a common thing I ask when organizations may be asking about HIPAA come in and they say, we need to be HIPAA compliant. We need to be HIPAA compliant. Do you need to be HIPAA compliant or do you need to demonstrate that you’ve got reduced risk as it pertains to PHI, right? And your handling of the PHI.

So beyond the things we’ve talked about, I think the obvious, reducing risk, taking care of PHI, complying with HIPAA to a degree, why is it important for organizations in the healthcare space to complete a risk assessment?

Carol Amick: Well, the other thing that recently happened in 2021, I believe it was the federal government passed a law that they call it the HIPAA Safe Harbor Act. And basically what they’re saying is the government has directed the Department of Health and Human Services to take into effect whether a business associate or covered entity that had a breach has done a risk assessment or they way refer to it as recognized security practices to address and identify risk, identify and address risk.

And that is, well, it’s not a get out of jail free card if you have a breach and the government does do an investigation. It is supposed to reduce your fines. It is supposed to reduce the amount of investigation the Department of Health and Human Services done. And overall, it will demonstrate to those agencies that are regulating you and looking at you and say, how did this happen? That it was not willful neglect. You were attempting to do the right thing.

As I said earlier, a risk assessment is not going to make you bulletproof. I don’t know what can in this day and age, but it does show that you have attempted to do the right thing.

Now that assumes that your risk assessment was comprehensive and you actually looked at your entire organization. And we were talking about phishing a minute ago, Jordan, and there was a HIMSS study a few years ago on risk assessments. And the study talked about how many of the people responding, I think it was about 50%, said their point of attack was phishing, but only about 40% of them included phishing in their risk assessment. So you’ve got to make sure your risk assessment covers the expected risk you’re going to have, I would think, to demonstrate that level of commitment to a regulatory body.

Jordan Eisner: Phishing and now my new favorite, smishing, which is phishing via text messages, right? So that’s the new wave.

I’ve always heard that if the OCR does an audit, one of the first things they ask for is a copy of your risk assessment. Is that true?

Carol Amick: That is true. And if you look at their enforcement actions, they consistently call out every year, over and over again in their enforcement actions, the fact that the organization they are leveling an enforcement action against did not have a comprehensive enterprise-wide risk assessment. It’s very evident they want that.

I went to the Healthcare Compliance Association conference last spring and a person from the OCR spoke to us and they got up there and talked about the importance of a risk assessment. This is an area of focus for the Department of Health and Human Services Office of Civil Rights which does these enforcements. So you want to be able to demonstrate that you’ve done it.

It’s also something your clients, especially if you are a business associate, your clients should be asking you if you’ve done one of these and have you addressed the risk to their data they’re sharing with you?

Jordan Eisner: Especially if you’re processing PHI.

I know that sometimes business associate agreements are just sort of broadly applied, but exactly to your point, if you’re a business associate, you’re processing PHI, you’re probably familiar with the concept of a security risk assessment.

So one of the key things you just said there that stood out to me was an enterprise-wide comprehensive risk assessment. So that makes it sound pretty big. You might talk me off that a little bit, maybe say it’s not so big, but what are some key areas of an information security program that need to be included in an assessment?

Carol Amick: So when they’re talking about enterprise-wide and they’re talking about comprehensive, they’re probably looking at the areas that cover PHI, so you don’t necessarily have to include in your risk assessment for protection of PHI, your payroll, your AP, that kind of thing. You’re really looking at the relations to PHI.

One of the tools that the government has provided is called the Healthcare Industry Cybersecurity Practices. And basically what it does is it lists out the common threats that we’re seeing and the controls and areas they expect you to be having place to cover that.

So ransomware is a big threat. One of the things they talk about, what we talked about is phishing. They talk about have you done vulnerability assessments? Have you done upgrades? So basically you’re focusing on those things that could impact PHI, but you don’t want to ignore an area because you know you don’t have it covered.

So for example, vulnerability is a prime example. If you’re a business associate and you’ve never had a vulnerability scan done, are you running a website as a covered entity and you’ve never had a penetration test done, don’t leave those off your risk assessment because you don’t know how bad the situation might be because that’s kind of where they say it wasn’t enterprise-wide. It’s like, you know, we’re just going to ignore this problem and no one will notice. Well, that’s probably where you’re going to get into trouble.

Jordan Eisner: Okay, makes sense.

So if I’m an organization, I’m listening to this podcast and I’m looking to do an assessment for the first time or I haven’t gone through one in a while or maybe in recent memory, what are the first steps to get started?

Carol Amick: I think the first step to get started is to find a framework that you’re going to kind of assess yourself against. So we talked, I talked a little while ago about the healthcare industry, cybersecurity practices. Basically that’s based off the NIST framework. NIST is another one you can use.

We like the healthcare industry cybersecurity practices framework simply because it’s a drill down of NIST. As you know, Jordan, from your other work, NIST is a very comprehensive, huge framework. And if you pull that off the website and look at it, you’re probably going to feel a little overwhelmed.

So we would recommend kind of going to something like this healthcare industry cybersecurity practices and picking that one and because it actually even helps drive you to the right controls for the size of your organization. They scaled it small, medium and large organizations even.

So it’s a really great starting point for someone who hasn’t ever done one, but there are other frameworks you can use. You can use ISO, you can use a lot of frameworks, but you want to have a framework and a plan to start with because otherwise you run the risk of kind of just going scatter shot and not covering everything and getting kind of thrown down a rabbit hole that maybe isn’t as important as something you haven’t seen yet.

Jordan Eisner: So and with the risk assessment, it doesn’t have to be external, right? You can do this internally. There’s no requirement that it has to be a third party. Selfishly, I would say that a third party probably is a better look, right? Or maybe selfish isn’t the right word, but that’s a shameless plug there.

Third party, non-biased, right? Looking at the risk, maybe second set of expertise or a counter set of expertise on some looking at some of these areas. So if an organization were to consider a third party for a risk assessment, what should they consider?

Carol Amick: So I’m going to bring up a couple of things. One, if you do do a risk assessment internally, I’m going to step back. You want to have it done by somebody who’s independent, and that’s the real benefit of having an external firm.

I’ve seen several risk assessments that were done by somebody who reported to the chief information security officer, and the chief information security officer had been telling his governing body for years they were in good shape. Well, if you’re his direct report and you’re supposed to do a risk assessment, are you really going to feel comfortable saying, you know, you haven’t been telling the truth for several years?

And so giving that independence and that freedom is probably one of the real reasons you go with an external independent partner. It does give you some independence. There’s no you’re not really drawn into any kind of political considerations in the organization. And it is also somebody who’s a lot of time has looked at what’s going on in the industry and seeing a lot of what else is going on so they can bring that expertise to you.

So you want to look for a partner that does a good number of these if you’re going to use a partner that has a wide variety of frameworks and backgrounds. I think that you don’t want to consider just because it’s in only in HIPAA or only in healthcare that we want to think about risk because risk migrate between industries. So if your partner is working across multiple industries, they may be heard something that hasn’t made it to health care yet that you want to think about. And so that’s another benefit to having an external partner is that breadth of knowledge across what’s going on in cybersecurity as a whole.

And then somebody you just think you can work well with, of course, because that’s always important. It’s you know, it’s going to require some time on your side and some commitment from your organization. So you want to have a good relationship.

Jordan Eisner: Good thoughts.

And after the assessment is complete, I assume you just put it in a sealed envelope. Don’t look at the results. Lock it up and do the same thing next year. Or do you do something with the findings, Carol?

Carol Amick: I would not recommend that approach, Jordan. That that generally doesn’t really get you where you want to go. Earlier, I talked about how we tend to do our risk assessments and we do a high priority method by saying this is your impact and your likelihood.

So what you want to do after your assessment is complete, it may identify more than you can realistically do in a reasonable time period. You need to prioritize. OK, what are we going to do? What can we do? What’s the next steps?

Now, if we can’t fully mitigate something, and I’ll give you a good example, one of the big risks to healthcare is that medical devices that might be in a covered entity are using operating systems that can no longer be patched. They’re just out there and they’re old and they’re therefore very vulnerable to malware and other problems.

OK, I can’t force the hospital to buy all new devices. That’s just not in the budget. What can we do? We isolate these on the network and put in some extra controls to make sure that if something does get into one of these devices, it doesn’t infect our whole network.

And so you’re looking for a couple of things. You’ve got to be realistic on your approaches to it, but you’ve also got to come up with, I realize in healthcare, money’s tied, a cost-effective way to address the risk. I mean, it’d be great if we could all afford all the fanciest, newest equipment, but that’s not always realistic.

Jordan Eisner: And I know you’ve mentioned it a few times now, I believe, but a risk assessment per HIPAA annual requirement.

Carol Amick: Yeah. And the CIDCARBRAC I talked about earlier also kind of said you’ve shown that you’ve done that recognized security practices evaluation, basically a risk assessment when they went in and called out what they wanted within the past 12 months. So you want to have a fairly current risk assessment should you have a problem.

Jordan Eisner: And we talked about doing something with risk assessment. So maybe this is a tricky question or hard to answer, but could it reflect poorly on an organization or maybe to what degree are these risk assessments potentially reviewed in the event of an audit or a breach or something of that nature where there’s a year or multiple years where a vulnerability or a gap was discovered and it was not remediated?

Carol Amick: There have been some situations where the Department of Health and Human Services has actually gone after some people saying you knew year over year that you had this gap that could have been remediated. I think that’s the real key when they look at it.

The one that comes to mind related to unencrypted laptops, it was eventually settled in the favor of the hospital. But the allegation was that the hospital should have known these laptops were not encrypted and had PHI on them. And they had called that out in a risk assessment year over year and had not done anything about it.

So I think the question is, is it something they would have expected you to be able to do in a reasonable time period? We just talked about the medical devices. I think they’re going to be more understanding of we couldn’t afford to replace every IV pump in our hospital, then we couldn’t afford BitLocker for a laptop. So you’re going to have to think about that too.

Jordan Eisner: So if you’re going to do the assessment, take the results seriously, communicate them, remediate the high-priority things that are within reason, right?

Carol Amick: Let me point out the other reason you want to do this is what I jokingly refer to as the six o’clock news risk. You want to kind of stay ahead of your risk and try to mitigate them before you have a breach because even if you don’t wind up with a Department of Health and Human Services investigation or it turns out not to be as material as it often sometimes sounds, your customers, your patients get wind of the fact that you may not be protecting their data because it’s on the six o’clock news, they’re going to look at other options.

And so you got to kind of protect your business in addition to just complying with the law.

Jordan Eisner: Yeah, I couldn’t help but just kind of chuckle at the six o’clock news reference there because I think we’ve probably reached a point as society where I would imagine half the population doesn’t understand that reference.

Carol Amick: Well, now it’s the Instagram, it’s the Instagram or TikTok story.

Jordan Eisner: It’s viral. You don’t have to go viral, Carol. I can appreciate it. I like that, you know.

Carol Amick: Yeah, but it’s some influencer standing in front of your hospital saying they leaked my data all over the internet. And you know that that just creates, it creates fear in your customers. It’s you having to call if you’re a business associate having to call your customer and tell them that something’s happened. And if you’re a hospital, it’s you having to write even in this day, you have to write and mail letters if you have a breach. You can’t just email, you can’t just text, you’ve got to write and mail a letter. And having been on the side where you wrote and mailed the letters, you then have to spend the next two weeks on the phone answering questions about what was in that letter. So it’s a lot of work.

Jordan Eisner: You sound like somebody who’s lived it.

Well, Carol, I appreciate it. I know this was very insightful for those out there that need to do a risk assessment or it’s a requirement of them or considering it and for those of you out there listening, please don’t hesitate to reach out to Carol or myself for any further questions on this matter.

Check out our website, CompliancePoint.com. We post all sorts of content on HIPAA and the like and other information security requirements and subscribe to the platform.

There’s a high likelihood you’re going to hear more from Carol in the future. So yeah, thank you everybody and we’ll see you or hear you know we won’t. You’ll hear us next time.