Carl Kunkleman Answers Why You Need a Security Risk Assessment on CTO Talk

Author: Matt Ferrari
Chief Technology Officer

I hope you had a chance to listen to episode one of my new HealthcareNOW Radio show and podcast series CTO Talk (archived here: In episode two, I have the pleasure of sharing insights from our Senior VP and Co-founder, Carl Kunkelman. Carl runs ClearData’s security business, and on this 30-minute episode he’ll walk through the importance of a security risk assessment.

Some folks may not be aware, but as we move from fee-for-service to value-based care, MACRA policy changes now require a security risk assessment. This year – 2017 – is the base year for 2019 Medicare funding, and any organization that does not have an SRA in place by the end of 2017 can lose up to 4% of their Medicare distribution in 2019. From there, the funding deductions go up each year.

But, having an SRA is about more than just guaranteeing larger distributions. It’s an important way to help your IT professionals keep pace with advancing technologies and prepare against cyber threats like ransomware.

In this episode, Carl relates the story of a seasoned IT professional with a 10-center practice who thought he and his team of about 100 people were doing everything right. Sadly, he awoke one Easter morning to learn he had been compromised with ransomware. People often think they are too small to be a target of ransomware, and that’s just not true. I’m haunted by this story because this gentleman’s lifetime career success could have been protected, and now this breach is his legacy. What will your legacy be? If he had a thorough SRA, and our dashboards running, we could have helped him avoid this situation.

Here are some other insights Carl shares about SRAs in this episode:

  • Why you need a third party SRA, especially for your first assessment
  • How to prepare your team for your first SRA
  • Best practices you should implement with your SRA, including a PHI inventory
  • Why to conduct a thorough policy and procedure review

He also identifies some gaps he commonly sees as he is conducting SRAs. As Carl says, if this is the first SRA for your organization, we can say with 100 percent confidence we will find high, medium and low risk opportunities for improvement. But beyond just finding it, we’ll work with your team to identify how to remediate it. And that’s another added value of the SRA – it not only identifies risks, but it also arms your IT professionals with objective evidence to argue for more money and resources to address those risks.

This episode was a reminder to me of what I love about my job. I’m a technical guy by trade. I love that I get to work with healthcare professionals that shouldn’t be focusing their limited time and energy solely on security and compliance. They should be focused on what only they can do – making healthcare better every day. I’m glad I get to be a part of building out the solutions that help them do just that. 

Tune in to this episode on HealthcareNOW Radio: rebroadcasts at 7:00am, 3:00pm and 11:00pm ET every weekday.

Thank you for subscribing!