With each new headline of another healthcare data breach, one question becomes ever more urgent for healthcare technology vendors to answer. Are they adequately safeguarding the protected healthcare information under their watch?
The reality is, many won’t know the answer until after a data breach occurs.
Given the increase in such incidents and the toll they take on patients (whose private health information can be used to commit medical fraud or even blackmail), this needs to change. Vendors must commit to closing off every possible avenue of risk to the medical records and other health data in their systems. And that starts with scoping out just how much at risk these systems are.
What’s behind the widespread failure to assess risk?
The HIPAA Security Rule requires that certain organizations, known as covered entities and business associates, regularly perform risk assessments. Yet 33 percent never have, increasing the rate of healthcare data breaches. That’s a troubling statistic, especially now that one in 10 Americans has been affected by a healthcare data breach.
But many vendors struggle to find enough staff time to take these assessments on. It’s intensive, multi-layered work, and IT professionals must know what to look for. Further, a one-time risk assessment is not enough; at minimum, they should take place annually.
The basic framework of a security risk assessment:
- Conduct a periodic review of data inventories and critical assets;
- Assess the administrative, physical and technical safeguards in place to protect healthcare data;
- Perform regular re-evaluations of risk (repeat the above two steps)
- The best way to assure such a rigorous security philosophy is followed? Appoint a chief privacy officer – and one who is actually in the game, not just a figurehead.
More tips and takeaways
Another important component of a security risk assessment: know where your protected health information is stored. Otherwise, how will you know that you have the appropriate safeguards in place? Conduct an inventory so you know where this data is, in which applications it lies and who has access to it. Then, in the event of a breach, you’ll be able to quickly report it and shut it down.
While this in itself may be of small comfort, it’s nothing less than stunning how long so many breaches go undetected. Research shows that only 5 percent of breaches are discovered within three months of entry. On that note, if the breach exceeds more than 500 records or you don’t know how many records were compromised, you must report it to the Office of Civil Rights (OCR).
Penetration testing (pen testing for short) should be done on at least an annual basis by professionals who are hired to ethically hack into your systems. Very often they may find entry via an outdated, unsupported operating system or software (some examples: Microsoft XP and SQL 2003, to name just a couple). Such systems and apps should be retired as part of a sound risk management policy. In a related suggestion, so should data, after a certain period of time. A data lifecycle map is essential here.
Should you hire a security risk assessment partner?
Again, the essence of a sound risk assessment policy is a periodic review of data and data assets, including the safeguards in place to protect them. These safeguards are mandated by the HIPAA Security Rule, and there are 52 such requirements. The HIPAA Security Rule also requires such reviews take place every other year.
However, your goal should be exceeding – not just meeting – HIPAA compliance to stay ahead of hackers determined to crack your network. If you have any doubts about your organization’s IT security expertise or availability in time to perform a security risk assessment, it’s most definitely the wiser course to partner with a specialist in this area.
Typical credentials of a partner well-versed in security risk assessments will include HITRUST-Certification, an onsite chief privacy officer (CIPP/US, CIPP/IT Certified) and mandatory HIPAA training for all employees. Such a partner will be able to quickly determine just how at risk you – and, by extension, your customers – are for a data breach. And “quickly” is the operative word here. Taking a “wait and see” approach is a waiting game that, in the end, only the hackers win.
About the Author: Carl Kunkleman is senior vice president and co-founder of ClearDATA.