The Dangers of Feeling Safe 

A false sense of security is a very dangerous thing. Capital One probably thought they had adequately secured their records and then found their brand plastered across the headlines as the owner of a monstrous breach that appears to have compromised approximately 106 million records 

I’ve been part of more than 500 security risk assessments in my role with ClearDATA®, the leader in privacy, security and compliance for healthcare in the cloudWhen assessing risk at various organizations, there are always surprises and new vulnerabilities that are uncovered, yet I often see the same mistakes being made over and over again. The biggest mistake is assuming you’re okay rather than actually confirming it with a thirdparty security risk assessment that shows where your security gaps really lie 

 Everybody I have ever evaluated had at least one security gap. Every single one. I’m guessing you’re no different. 

One of the reasons there may be gaps is because your job is IT; it’s not understanding healthcare policy and complying with complex regulatory frameworks that oftentimes have vague parameters for how compliance must be met. At ClearDATA, we’ve built a company completely focused on that and have established a team of recognized experts who can quickly and efficiently help you discover where your security gaps are…before a hacker finds them. 

Healthcare has never been more at risk than it is today – on premise more than on cloud – but in all regards because medical identify theft has proven to be very lucrative for the thieves who used to just want your credit card informationWhile data breaches are indeed crippling to any business, they are extra hard on healthcare organizations when considering the vast amount of sensitive information consumers trust them with. Penalties can include millions of dollars in fines, loss of patients, credit monitoring costs, lost productivity, civil and criminal investigations, and damage to institutional and professional reputations. For this reason, hundreds of recognized healthcare organizations have turned to ClearDATA for its healthcare platform built on a foundation of HITRUST, ensuring best practices are in place for protecting the privacy, security, and compliance of the PHI our customers are working with. But not all healthcare organizations take this threat seriously enough. Not long ago, Anthem reached a settlement for exposing the personal records of 78.8 million current and former members and employees including name, birth date, social security numbers, home addresses and more. This resulted in a $16 million settlement with the OCR for HIPAA violations, and a record-breaking $115 million to settle a class action law suit. Add in the cost of corrective action and the time lost between the breach in 2015 and the settlement in 2018, and it doesn’t require much imagination to understand what a challenge the IT team must have faced there the last few years. Can your organization afford that kind of penalty? For many it would be a death blow, both to finances and to reputation. 

How to Minimize Risk 

 The key to avoiding an incident like this is to minimize your risk by regularly conducting security risk assessments (SRAs). While some folks opt to do this in-house, there’s generally not enough time, talent, and healthcare security and compliance expertise to complete an SRA that truly shows your gaps. By conducting thorough assessments with the expert in this field  ClearDATA – healthcare providers and business associates can uncover potential weaknesses in their security policies, processes, and systems, and then remedy them before adverse security events can occur. ClearDATA delivers SRAs through ClearDATA Assess®, our SaaS and human-driven solution that allows stakeholders to understand and manage security and compliance risks through an easy to use interface. An SRA through ClearDATA Assess doesn’t just identify risks—our team of experienced professionals provide guidance with a Risk Management Plan, so your team knows where to focus and assign tasks and timelines to remediate identified risks. 

Healthcare organizations are racing to digitize more and more of the healthcare ecosystem and introduce new technologies like IoT (Internet of Things), machine learning and advanced analytics. While these initiatives yield greater efficiencies and process improvements, they make SRAs even more critical to healthcare innovation than ever before. What’s more, when we complete the SRA we’ll give you a report that your CEO, CIO, CTO, COO and more can use to get on the same page as they work with us on the road map to remediation in a strategic manner that gets you to a better place. 

Each year at ClearDATA, our team of security analysts take stock of several years’ worth of SRAs to identify the most commonly occurring gaps. Too often, we see IT departments at hospitals and healthcare technology companies believe they have the correct policies and procedures in place to assure data security compliance…when, come to find out, they actually don’t. Many of them have taken care of the IT side only to be blindsided by unknown policies and procedures that leave them vulnerable on the business side. 

Proliferation of Data 

Security Risk Assessments look at technical, administrative and physical safeguards. In your role as an IT leader, surely you are looking at the technical ones. Yet we continue to find security gaps with encryption and patch management. The most common—and dangerous—misconception we find every year is the number of healthcare organizations believing their Protected Health Information (PHI) is safe because they have password-protected their computers and handheld devices. White hat penetration testing has proven that passwords are relatively easy to defeat. We also continue to find organizations have not performed reliable PHI checks of where all of their PHI resides. You cannot protect your information if you do not know where it lives. This is further complicated by the ever-expanding number of devices that have access to the data, including the rampant proliferation of Shadow IT. 

Speaking of Shadow IT, according to industry analyst Gartner, by next year one third of the successful attacks experienced by enterprises will be on their Shadow IT resources, which is often an easier target given the ability to implement it outside of the IT realm. Are you defended? And, as much as the business side of your house may be subject matter experts on various aspects of your business, they are unlikely to be experts at software integrations, standardizations and security practices. With Shadow IT on the rise, they are also unlikely to be asking for your advice. 

In the horrible event you have an incident that escalates to a legal declaration of a breach, the first thing the OCR is going to ask to see is your security risk assessment. You’ll need to be able to verify your PHI inventory, and lamenting a significant portion of your company is using Shadow IT is not going to get you out of the hot seat. It’s likely going to make that seat hotter. 

And then there’s data sprawl. Your organization is probably using some cloud services, and if not, will be soon if you want to remain competitive. Some enterprises use an average of more than 1,200 cloud services according to the Cisco Cloud Consumptions engagements. PHI traveling through these systems may be creating blind spots throughout your organization and creating gaps in your PHI inventory. 

And if you are still on legacy systems, you likely have both technical and physical safeguards that have to be addressed not the least of which is patch management and encryption, server room access and workspace security. 

ClearDATA looks at all of this and more to ensure that as you strengthen your organization’s security and compliance environment you aren’t closing one door and opening another for intruders. 

Your IT Team May Not Be Aligned with Your HR Team

We see this one a lot – two sides of the house not aligned over policies and procedures. When is the last time you and your IT team sat down with HR to discuss policies that affect your safety and ability to protect sensitive information? Everybody too busy?  

 From an administrative perspective, your organization needs policies and practices in place that your IT team may not be aware of. The ClearDATA team will review these for you and let you know which ones need IT’s attention. What’s the onboarding and offboarding process with your HR department? Are your employees trained regularly on security and compliance in order to create a culture of compliance that reduces risk? Most often I see that employees don’t know what they don’t know, which makes them prime targets for phishing attacks. Does your team have an incident response management plan and checklist? Have you articulated how to follow the four factor/three exception methodology in the event of a loss of PHI? There are numerous policies that need to be addressed, every single day of the year. We can build you a security incident management playbook, create scenarios where you practice the process, and perform penetration testing to find those holes because your incident management isn’t for practice; it’s for real. 

SRAs: An Expanding Mandate for Healthcare Innovation 

These existential threats to PHI are well-known to regulators, which is why SRAs have been a longtime HIPAA mandate. But now there is also a mandate to participate in the Merit-based Incentive Payment System (MIPS). So to cut to the chase, you have money on the table you will lose if you don’t conduct an SRA. Specifically, SRAs are one of the core requirements within the Advancing Care Information performance category in MIPs. Additionally, many commercial and private partnership agreements now include security clauses that mandate regular SRAs. 

Through ClearDATA Assess, your team will create an ePHI inventory to determine where electronic and other data is located, which is saved in the Assess portal for you to access should you need it, for audit purposes or for your next SRA. The inventory gives both parties and a clear view into where your risks lie—from low-level risks to urgent action, high-level risks. We’ll also work with you to create a remediation roadmap where you can identify which gaps you need to address first and foremost, and then make an executable plan to address all gaps by assigning roles and tasks within the Assess portal. And we’ll present the plan to your C-suite, empowering your CIO, CEO and CTO to get on the same page about a path forward to minimize risk so you can focus on business objectives and innovating healthcare solutions.  

 If it’s been a while since your last SRA—or maybe you’ve never conducted one you truly felt confident in—don’t wait until your organization faces a devastating breach. Now is the best time to perform this mandated security exerciseIt’s an essential step to protecting your patient data on your path to healthcare innovation. Turn to the HITRUST-certified, healthcare exclusive cloud experts at ClearDATA and start protecting your organization from security gaps you don’t know you have. 

Request a Consultation