What 500 SRAs Reveal About the State of Security in Healthcare
by Carl Kunkleman, SVP and Co-Founder, ClearDATA
The Dangers of Feeling Safe
A false sense of security is a very dangerous thing. Facebook, Instagram, and LinkedIn probably thought they had adequately secured their records and then found their brand plastered across the headlines as the owner of a monstrous data breach caused by Socialarks that appears to have compromised approximately 214 million records.
I’ve been part of more than 500 security risk assessments in my role with ClearDATA, healthcare’s largest managed cloud and security services provider. When assessing risk at various organizations, there are always surprises and new vulnerabilities that are uncovered, yet I often see the same mistakes being made over and over again. The biggest mistake is assuming you’re okay rather than actually confirming it with a third–party security risk assessment that shows where your security gaps really lie.
Everybody I have ever evaluated had at least one security gap. Every single one. I’m guessing you’re no different.
One of the reasons there may be gaps is because your job is IT; it’s not understanding healthcare policy and complying with complex regulatory frameworks that oftentimes have vague parameters for how compliance must be met. At ClearDATA, we’ve built a company completely focused on that and have established a team of recognized experts who can quickly and efficiently help you discover where your security gaps are…before a hacker finds them.
Healthcare has never been more at risk than it is today – on-premise more than on cloud – but in all regards, because healthcare has the most valuable data and is the most vulnerable industry. While data breaches are indeed crippling to any business, they are extra hard on healthcare organizations when considering the vast amount of sensitive information consumers trusts them with. Penalties can include millions of dollars in fines, loss of patients, credit monitoring costs, lost productivity, civil and criminal investigations, and damage to institutional and professional reputations. For this reason, hundreds of recognized healthcare organizations have turned to ClearDATA for its CyberHealth™ Platform and Services, built on a foundation of HITRUST and our Policy-as-Code™ Engine, ensuring best practices are in place for protecting the privacy, security, and compliance of the PHI our customers are working with.
Unfortunately, not all healthcare organizations take this threat seriously enough. Not long ago, Anthem reached a settlement for exposing the personal records of 78.8 million current and former members and employees including name, birth date, social security numbers, home addresses, and more. This resulted in a $16 million settlement with OCR for HIPAA violations, and a record-breaking $115 million to settle a class-action lawsuit. Add in the cost of corrective action and the time lost between the breach in 2015, the settlement in 2018, and the class-action lawsuit settlement in 2021, and it doesn’t require much imagination to understand what a challenge the IT team must have faced throughout those years. Can your organization afford that kind of penalty? For many, it would be a death blow, both to finances and to reputation.
How to Minimize Risk
The key to avoiding an incident like this is to minimize your risk by regularly conducting security risk assessments (SRAs). While some folks opt to do this in-house, there’s generally not enough time, talent, and healthcare security and compliance expertise to complete an SRA that truly shows your gaps. By conducting thorough assessments with the expert in this field – ClearDATA – healthcare providers and business associates can uncover potential weaknesses in their security policies, processes, and systems, and then remedy them before adverse security events can occur ClearDATA delivers SRAs through our Assessments & Risk Management capabilities within the CyberHealth Platform. Our solution doesn’t just identify risks — our team of experienced professionals provides risk management guidance, so your team knows where to focus and can assign tasks and timelines to remediate identified risks.
Healthcare organizations are racing to digitize more and more of the healthcare ecosystem and introduce new technologies like IoT (Internet of Things), machine learning, and advanced analytics. While these initiatives yield greater efficiencies and process improvements, they make SRAs even more critical to healthcare innovation than ever before. What’s more, when we complete the SRA we’ll give you a report that your CEO, CIO, CTO, COO, and more can use to get on the same page as they work with us on the road map to remediation in a strategic manner that gets you to a better place.
Each year at ClearDATA, our healthcare-exclusive security analysts take stock of several years’ worth of SRAs to identify the most commonly occurring gaps. Too often, we see IT departments at hospitals and healthcare technology companies believe they have the correct policies and procedures in place to ensure data security compliance…when come to find out, they actually don’t. Many of them have taken care of the IT side only to be blindsided by unknown policies and procedures that leave them vulnerable on the business side.
Proliferation of Data
Security Risk Assessments look at technical, administrative and physical safeguards. In your role as an IT leader, surely you are looking at the technical ones. Yet we continue to find security gaps with encryption and patch management. The most common—and dangerous—misconception we find every year is the number of healthcare organizations believing their Protected Health Information (PHI) is safe because they have password-protected their computers and handheld devices. White hat penetration testing has proven that passwords are relatively easy to defeat. We also continue to find organizations that have not performed reliable PHI checks of where all of their PHI resides. You cannot protect your information if you do not know where it lives. This is further complicated by the ever-expanding number of devices that have access to the data, including the rampant proliferation of Shadow IT.
Speaking of Shadow IT, according to NCSC, one out of five organizations experienced a cyberattack caused by Shadow IT because it’s often an easier target given the ability to implement it outside of the IT realm. Are you defended? And, as much as the business side of your house may be subject matter experts on various aspects of your business, they are unlikely to be experts at software integrations, standardization, and security practices. With Shadow IT on the rise, they are also unlikely to be asking for your advice.
In the horrible event, you have an incident that escalates to a legal declaration of a breach, the first thing OCR is going to ask to see is your security risk assessment. You’ll need to be able to verify your PHI inventory, and lamenting a significant portion of your company is using Shadow IT is not going to get you out of the hot seat. It’s likely going to make that seat hotter.
And then there’s data sprawl and data liquidity. Your organization is probably using some cloud services, and if not, will be soon if you want to remain competitive. Some enterprises use an average of more than 1,200 cloud services according to the Cisco Cloud Consumptions engagements. PHI travels across more healthcare systems and apps than ever before, increasing the attack surface and potential security risks.
And if you are still on legacy systems, you likely have both technical and physical safeguards that have to be addressed —not the least of which is patch management and encryption, server room access, and workspace security.
ClearDATA looks at all of this and more to ensure that as you strengthen your organization’s security and compliance environment you aren’t closing one door and opening another for intruders.
Your IT Team May Not Be Aligned With Your HR Team
We see this one a lot – two sides of the house are not aligned over policies and procedures. When is the last time you and your IT team sat down with HR to discuss policies that affect your safety and ability to protect sensitive information? Is everybody too busy?
From an administrative perspective, your organization needs policies and practices in place that your IT team may not be aware of. The ClearDATA team will review these for you and let you know which ones need IT’s attention. What’s the onboarding and offboarding process with your HR department? Are your employees trained regularly on security and compliance in order to create a culture of compliance that reduces risk? Most often I see that employees don’t know what they don’t know, which makes them prime targets for phishing attacks. Does your team have an incident response management plan and checklist? Have you articulated how to follow the four-factor/three exception methodology in the event of a loss of PHI? There are numerous policies that need to be addressed, every single day of the year. We can build you a security incident management playbook, create scenarios where you practice the process, and perform penetration testing to find those holes because your incident management isn’t for practice; it’s for real.
SRAs: An Expanding Mandate for Healthcare Innovation
These existential threats to PHI are well-known to regulators, which is why SRAs have been a longtime HIPAA mandate. There is also a mandate to participate in the Merit-based Incentive Payment System (MIPS). So to cut to the chase, you have money on the table you will lose if you don’t conduct an SRA. Specifically, SRAs are one of the core requirements within the Advancing Care Information performance category in MIPs. Additionally, many commercial and private partnership agreements now include security clauses that mandate regular SRAs.
Through our CyberHealth Platform, your team will create an ePHI inventory to determine where electronic and other data is located, which is saved in the portal for you to access should you need it, for audit purposes, or for your next SRA. The inventory gives both parties a clear view into where your risks lie—from low-level risks to urgent action, high-level risks. We’ll also work with you to create a remediation roadmap where you can identify which gaps you need to address first and foremost, and then make an executable plan to address all gaps by assigning roles and tasks within the Assess portal. And we’ll present the plan to your C-suite, empowering your CIO, CEO, and CTO to get on the same page about a path forward to minimize risk so you can focus on business objectives and innovating healthcare solutions.
If it’s been a while since your last SRA — or maybe you’ve never conducted one you truly felt confident in — don’t wait until your organization faces a devastating breach. Now is the best time to perform this mandated security exercise. It’s an essential step to protecting your patient data on your path to healthcare innovation. Turn to the HITRUST-certified, healthcare-exclusive cloud experts at ClearDATA and start protecting your organization from security gaps you don’t know you have.