Originally published to Electronic Health Reporter on May 8, 2020 by Carl Kunkleman, SVP and Co-founder, ClearDATA
Working in the world of healthcare security and compliance, I find one of the biggest dangers organizations face is having a false sense of security that their PHI is adequately protected. I’ve done hundreds of security risk assessments, and I have yet to find one single organization that did not have a security gap they were unaware they had in one or more of their administrative, technical or physical safeguards.
Add to this, the complicated current state of healthcare battling COVID-19, and we are likely to see administrative systems that have gaps in off-boarding or off-boarding employees, technical infrastructures that didn’t have time or resources for patch management, and physical scenarios in makeshift triage units with compromised physical safeguards that simply cannot be addressed in the current haste to stop the spread of the virus.
Sadly, this sense of chaos creates the ideal conditions for the hackers of the world looking to infiltrate via phishing, malware and ransomware and more. Once this spread is arrested and we all get a moment to catch our breath and assess business practices, a good move would be to conduct a security risk assessment known as an SRA. Your internal teams and resources are stressed, overworked and possibly burned out and an SRA can identify security gaps that will inevitably arise and present an actionable plan to remediate. This will help reduce risks while protecting your organization’s finances and reputation while we all find out what “getting back to normal” will mean.
Right now, we are all doing everything we can. And the Department of Health and Human Services recognized that with their decision last month to waive penalties for providers that are serving patients through everyday communications technologies during the COVID-19 public health emergency. A security risk assessment this summer will help you put the compliance health of your organization back in order. In addition to the HIPAA requirement that you have an SRA on file annually, it helps unite your team in a strategic path forward by articulating what your highest and lowest risks are, before a hacker uncovers them.
Because an SRA covers administrative, technical and security safeguards, your entire organization will benefit from the process. I continue to find organizations who think their PHI is protected because they have password protected their computers and mobile devices. Our penetration testing has revealed that passwords are relatively easy to defeat. We continue to find gaps in encryption, patch management and even with PHI inventories. If you don’t know where all of your PHI resides, how can you protect it?
Just take a quick look at the OCR breach portal and you’ll see 98 (and climbing) healthcare data breaches are already under investigation this year. How many of those organizations had a current SRA on file? I can assure their legal teams are likely seeking one now … by OCR mandate.
Once we as a tired and exhausted nation are able to contain this emergency, directing healthcare organizations’ energy and dollars to addressing the costly legal fallout from cybercrime is not where you’ll want to devote your energy. A security risk assessment can help minimize that risk and help you fortify your defenses as you get your ‘house’ back in order.
I’m also seeing that some organizations have done a good job of conducting regular SRAs but then don’t do much with the findings. It can be hard to create and monitor actionable remediation plans with accountability. We’ve heard and seen this and have just launched a software that gives organizations a portal with 24/7 visibility into that organization’s remediation roadmap.
It’s trackable and reportable.
Key tasks can be assigned to specific team members who can log progress toward your individual and shared goals. With tools like ClearDATA Assess, we can create collaboration and accountability in security. The end result is a stronger, safer organization with more time and energy to devote to the most important thing you do: improve patient outcomes and the health of our communities.