Technology
Industry Surveys
Breakthroughs Reports
Events
Departments
- Leadership
- Finance
- Technology
- Physicians
- Community Hospitals
- Health Plans
- Marketing
- Quality
- Nursing
- HR
- Service Lines
Continuous assessments ensure success with security
Briefings on HIPAA, March 15, 2007
Many covered entities performed a risk analysis as part of their initial efforts to comply with the HIPAA security rule in 2005. But many then shelved the report and haven’t dusted it off since that first big push. That’s a big mistake, security experts say.
“There’s nothing in security that you can do once,” says Kate Borten, president of the Marblehead Group, a consulting firm in Marblehead, Mass. “Risk assessment never stops. This is supposed to be ongoing.”
A risk assessment attempts to
Define your goals
You should update the assessment continuously as technology changes and new threats emerge. This is the approach that Mark Eggleston, manager of security and business continuity at Health Partners of Philadelphia, takes. He conducts quarterly vulnerability testing of the Health Partners’ systems--and he never fails to find new threats. He works off of a simple spreadsheet that he designed in his original risk assessment. The template rates threats based on their potential for damage, their likelihood of occurrence, and how easy they are to fix. This helps him develop a prioritized to-do list that keeps him focused on the most important security threats.
“It really helps you get a more efficient approach to closing your security risks,” Eggleston says. “You always have risks, but you want to close the most important ones. So if you’ve got something that’s high risk and low effort, you close that first.”
Many CEs fail to update their risk assessments properly because they confuse them with HIPAA compliance audits, Borten says. A compliance audit is less sweeping than a risk assessment; it looks only at how well you’re complying with the regulations, not at your overall security.
“If you perform a risk assessment by limiting what you look at to only the requirements of the security rule, you may well miss some risks because the HIPAA security rule is not the be-all and end-all security standard,” Borten says. “There are plenty of other security practices that you should have in place.”
Update as changes occur
At a minimum, you should perform a risk assessment whenever you make a significant change to your system (e.g., adding new equipment or upgrading capabilities). “You should have information security staff sitting at the table whenever you’re planning a new project of any type,” Borten says.
She also recommends conducting an annual review but suggests that you not just wait for the annual update. Instead, take a look at parts of your system throughout the year as needed. For example, you may want to take a month to focus on a particular application or system in detail. “There are ways to do this smartly,” Borten says. “It’s easier to break it down. I suggest taking it in steps and spreading it out throughout the year. For an organization to not do anything about a risk assessment for a whole year misses the concept of what a risk assessment is.”
But don’t let that intimidate you. Eggleston suggests that a risk assessment be streamlined to fit your organization’s needs because, in essence, all you need is a list of all potential threats that you then prioritize. A good place to start is with the National Institute of Standards and Technology’s (NIST) Special Publication 800-30, Risk Management Guide for Information Technology Systems, which can help you work through what you must include in your assessment. Eggleston used this publication to build the risk assessment spreadsheet off of which he works.
Start with your original assessment when conducting an updated risk assessment. Take a look at how you did it originally and who was involved and use that as a starting place. First determine who you should involve in your update. You’ll assess technical security, physical security, training, systems, and policies, so you may need to draw staff from across your organization. You shouldn’t limit yourself to the information technology department, Borten and Eggleston agree.
Address common problems
One common mistake that Borten sees is conducting a risk assessment by sending self-assessment questionnaires to various departments. Those that don’t specialize in security simply may not realize what threats they face or understand how serious those threats are, she says.
“In an increasingly security-aware and sophisticated world, that’s not going to cut it,” Borten says. “Get someone who knows what questions to ask and knows how to weigh the vulnerabilities once you’ve identified them.”
And don’t make the mistake of thinking that just anyone in the IT department can handle a risk assessment, she says.
A good security professional has specialized knowledge and keeps up to date on the risks. He or she can spot vulnerabilities that other IT staff can’t and can also suggest remedies. Consider hiring a consultant to provide a fresh set of eyes in some cases or invest in hiring and training professional information security officers to do the job.
Another common hole in many risk assessments is that they don’t address the glut of portable devices that have become increasingly common in recent years (e.g., laptops, smart phones, and Universal Serial Bus, or USB, drives). The proliferation of these portable devices makes it easier to steal or lose vast quantities of data, so be sure to include them in your updated risk assessment.
But don’t limit a risk assessment to the technical end of things. Many times, a change in policy, additional training, or simply more enforcement is what’s needed. All of these steps are relatively low cost and can go a long way toward reducing your risks. For example, Eggleston’s organization implemented a single sign-on solution recently for all of its applications so that staff no longer need to track multiple passwords, which often caused them to write passwords down--a serious vulnerability. Health Partners also increased the penalties for writing down a password to ensure that staff took the rule more seriously.
Similarly, when Health Partners recognized that it was losing laptops too often for comfort, it increased the sanctions for staff who misplace laptops. “The information technology department can do [the risk assessment] in its own little world, but you’re going to miss out on the human element,” Eggleston says. “Stuff like preventing people from writing down passwords can do a lot of good.”
Finally, when your report is finished, remember to share it with the organization’s CE-suite and other key players so that they know what risks they face and what will be needed to fix them. This is important so that senior management understands the potential threats and how the budget needs to address them.
Michael Iarrobino is the editor of Briefings on HIPAA. He may be reached at miarrobino@hcpro.com. This story first appeared in the March edition of Briefings on HIPAA, a monthly newsletter by HCPro Inc. For information on all of HCPro’s products, visit www.hcmarketplace.com.
“There’s nothing in security that you can do once,” says Kate Borten, president of the Marblehead Group, a consulting firm in Marblehead, Mass. “Risk assessment never stops. This is supposed to be ongoing.”
A risk assessment attempts to
- identify all the possible threats your systems face
- rank threats in priority of importance
- offer solutions to threats
Define your goals
You should update the assessment continuously as technology changes and new threats emerge. This is the approach that Mark Eggleston, manager of security and business continuity at Health Partners of Philadelphia, takes. He conducts quarterly vulnerability testing of the Health Partners’ systems--and he never fails to find new threats. He works off of a simple spreadsheet that he designed in his original risk assessment. The template rates threats based on their potential for damage, their likelihood of occurrence, and how easy they are to fix. This helps him develop a prioritized to-do list that keeps him focused on the most important security threats.
“It really helps you get a more efficient approach to closing your security risks,” Eggleston says. “You always have risks, but you want to close the most important ones. So if you’ve got something that’s high risk and low effort, you close that first.”
Many CEs fail to update their risk assessments properly because they confuse them with HIPAA compliance audits, Borten says. A compliance audit is less sweeping than a risk assessment; it looks only at how well you’re complying with the regulations, not at your overall security.
“If you perform a risk assessment by limiting what you look at to only the requirements of the security rule, you may well miss some risks because the HIPAA security rule is not the be-all and end-all security standard,” Borten says. “There are plenty of other security practices that you should have in place.”
Update as changes occur
At a minimum, you should perform a risk assessment whenever you make a significant change to your system (e.g., adding new equipment or upgrading capabilities). “You should have information security staff sitting at the table whenever you’re planning a new project of any type,” Borten says.
She also recommends conducting an annual review but suggests that you not just wait for the annual update. Instead, take a look at parts of your system throughout the year as needed. For example, you may want to take a month to focus on a particular application or system in detail. “There are ways to do this smartly,” Borten says. “It’s easier to break it down. I suggest taking it in steps and spreading it out throughout the year. For an organization to not do anything about a risk assessment for a whole year misses the concept of what a risk assessment is.”
But don’t let that intimidate you. Eggleston suggests that a risk assessment be streamlined to fit your organization’s needs because, in essence, all you need is a list of all potential threats that you then prioritize. A good place to start is with the National Institute of Standards and Technology’s (NIST) Special Publication 800-30, Risk Management Guide for Information Technology Systems, which can help you work through what you must include in your assessment. Eggleston used this publication to build the risk assessment spreadsheet off of which he works.
Start with your original assessment when conducting an updated risk assessment. Take a look at how you did it originally and who was involved and use that as a starting place. First determine who you should involve in your update. You’ll assess technical security, physical security, training, systems, and policies, so you may need to draw staff from across your organization. You shouldn’t limit yourself to the information technology department, Borten and Eggleston agree.
Address common problems
One common mistake that Borten sees is conducting a risk assessment by sending self-assessment questionnaires to various departments. Those that don’t specialize in security simply may not realize what threats they face or understand how serious those threats are, she says.
“In an increasingly security-aware and sophisticated world, that’s not going to cut it,” Borten says. “Get someone who knows what questions to ask and knows how to weigh the vulnerabilities once you’ve identified them.”
And don’t make the mistake of thinking that just anyone in the IT department can handle a risk assessment, she says.
A good security professional has specialized knowledge and keeps up to date on the risks. He or she can spot vulnerabilities that other IT staff can’t and can also suggest remedies. Consider hiring a consultant to provide a fresh set of eyes in some cases or invest in hiring and training professional information security officers to do the job.
Another common hole in many risk assessments is that they don’t address the glut of portable devices that have become increasingly common in recent years (e.g., laptops, smart phones, and Universal Serial Bus, or USB, drives). The proliferation of these portable devices makes it easier to steal or lose vast quantities of data, so be sure to include them in your updated risk assessment.
But don’t limit a risk assessment to the technical end of things. Many times, a change in policy, additional training, or simply more enforcement is what’s needed. All of these steps are relatively low cost and can go a long way toward reducing your risks. For example, Eggleston’s organization implemented a single sign-on solution recently for all of its applications so that staff no longer need to track multiple passwords, which often caused them to write passwords down--a serious vulnerability. Health Partners also increased the penalties for writing down a password to ensure that staff took the rule more seriously.
Similarly, when Health Partners recognized that it was losing laptops too often for comfort, it increased the sanctions for staff who misplace laptops. “The information technology department can do [the risk assessment] in its own little world, but you’re going to miss out on the human element,” Eggleston says. “Stuff like preventing people from writing down passwords can do a lot of good.”
Finally, when your report is finished, remember to share it with the organization’s CE-suite and other key players so that they know what risks they face and what will be needed to fix them. This is important so that senior management understands the potential threats and how the budget needs to address them.
Michael Iarrobino is the editor of Briefings on HIPAA. He may be reached at miarrobino@hcpro.com. This story first appeared in the March edition of Briefings on HIPAA, a monthly newsletter by HCPro Inc. For information on all of HCPro’s products, visit www.hcmarketplace.com.
Most Viewed
Most Emailed
- 10 Major Changes to Health Reform in House's Reconciliation Bill
- Cardiology Group Fights Medicare Pay Cuts by Offering Concierge Services
- Primary Care is Unappealing to Many Medical Students
- Where Have All the CEOs Gone?
- Match Day a Reminder of Primary Care's Struggles
- Can 'Deadly Deliveries' Be a Wake-Up Call to Physicians, Hospitals?
- CBO: Latest Health Reform Bill Would Cost $940 Billion
- CEOs: Employee Retention Is Your Job
- Ten Ways to Increase Nurses' Time at the Bedside
- Benchmarking for Beleaguered Budgets
