Podcast

Carl Kunkleman Answers Why You Need a Security Risk Assessment on CTO Talk


Matt Ferrari

by Matt Ferrari
Chief Technology Officer
ClearDATA


I hope you had a chance to listen to episode one of my HealthcareNOW Radio show and podcast series CTO Talk. In episode two, I had the pleasure of sharing insights with our Senior Vice President and Co-founder, Carl Kunkleman. Carl runs ClearDATA’s security assessment business, and on this 30-minute episode he walks us through the reasons a security risk assessment is necessary.

Some folks may not be aware, but as we move from fee-for-service to value-based care, MACRA policy changes now require a security risk assessment. 2017 is the base year for 2019 Medicare funding, and any organization that does not have an SRA in place by the end of 2017 can lose up to 4% of their Medicare distribution in 2019. From there, the funding deductions go up each year.

But, having an SRA is about more than just guaranteeing larger distributions. It’s an important way to help your IT professionals keep pace with advancing technologies and prepare against cyber threats like ransomware.

In this episode, Carl relates the story of a seasoned IT professional with a 10-center practice who thought he and his team of about 100 people were doing everything right. Sadly, he awoke one Easter morning to learn he had been compromised with ransomware. People often think they are too small to be a target of ransomware, and that’s just not true. I’m haunted by this story because this gentleman’s lifetime career success could have been protected, and now this breach is his legacy. What will your legacy be? If he had a thorough SRA, and our dashboards running, we could have helped him avoid this situation.

Here are some other insights Carl shares about SRAs in this episode:

  • Why you need a third party SRA, especially for your first assessment
  • How to prepare your team for your first SRA
  • Best practices you should implement with your SRA, including a PHI inventory
  • Why to conduct a thorough policy and procedure review

He also identifies some gaps he commonly sees as he is conducting SRAs. As Carl says, if this is the first SRA for your organization, we can say with 100 percent confidence we will find high, medium and low risk opportunities for improvement. But beyond just finding it, we’ll work with your team to identify how to remediate it. And that’s another added value of the SRA – it not only identifies risks, but it also arms your IT professionals with objective evidence to argue for more money and resources to address those risks. Give it a listen here:

This episode was a reminder to me of what I love about my job. I’m a technical guy by trade. I love that I get to work with healthcare professionals that shouldn’t be focusing their limited time and energy solely on security and compliance. They should be focused on what only they can do – making healthcare better every day. I’m glad I get to be a part of building out the solutions that help them do just that.