Conducting a risk assessment is a requirement of both the Health Insurance Portability and Accountability Act and the HITECH Act, yet some medical practices either still don't conduct them or have a limited view of their purpose, said speakers at a webinar organized by the Institute for Health Technology Transformation.
Speaking at the webinar, Three Defensive Moves for Data Security and Management in Healthcare, Paul Doucette, senior technical security engineer at Berkshire Health Systems said that security starts with a risk assessment. That process allowed his organization to identify where data existed, what form it took and where it was vulnerable. With the explosion of portable devices being used in health care today, this was no small task, but it is impossible to secure vulnerable points otherwise.
More on risk assessments
Strategies for a HIPAA risk assessment
Risk assessment for stage 2 and HIPAA
Meaningful use, HIPAA risk analysis
"The first thing we had to do was identify what data was where," Doucette said. "We had no idea what was on people's laptops and cellphones. It's amazing how they all come in, once you enable [bring your own device]."
Once Berkshire Health Systems identified all the places where workers stored data, it moved to encrypt all mobile devices, Doucette said. The system also runs data logging tools that enable the security team to track the movement of data. This becomes important for legal reasons in the event of a lost or stolen device. He can see exactly how many files were lost and what information they contained, which allows him to assess liability.
Even among organizations that conduct risk assessments, there are common misperceptions, said Kim Singletary, director of technical solutions marketing at McAfee Inc. For example, many believe it is appropriate to conduct a risk assessment every two years, or that the practice only needs to assess the security of electronic health data.
Neither the Health Insurance Portability and Accountability Act (HIPAA) nor the HITECH Act specifies how often a risk assessment should be conducted. They state that an organization should have a "current" assessment. Most security professionals interpret this to mean an assessment should be conducted annually or whenever an organization makes a substantial change to its security environment, such as updating an electronic health record system. Many believe that a risk assessment should be an ongoing process with no clear beginning or end, rather than a one-time event.
The key aspect with HIPAA is it always starts with the risk assessment. And I think some of the things we're learning through the [Office of Civil Rights] audits is that risk assessment has to happen more than just once. It has to be a process.
director of technical solutions marketing, McAfee Inc.
"The key aspect with HIPAA is it always starts with the risk assessment," Singletary said. "And I think some of the things we're learning through the [Office of Civil Rights] OCR audits is that risk assessment has to happen more than just once. It has to be a process." Once an organization has a solid risk assessment process in place, it's able to create policies and technical systems that mitigate vulnerabilities, she added. This may substantially reduce the risk of a data breach, which can be expensive. Federal authorities have increased enforcement efforts in recent years and are fining providers for breaches. There are also costs associated with credit monitoring for affected patients, marketing efforts to rebuild reputation and potential lost patients.
However, it is unlikely that a practice will be able to address all existing vulnerabilities once they are identified. A risk assessment should help practices identify which vulnerabilities are the most likely to result in harm, and what can be done about them within the scope of available budget and staff resources, said Brian Zeno, district sales manager for IT consulting and cloud computing service firm DynTek Inc.
Zeno broke down available security controls into four categories: physical control, device and media control, encryption control and disposal policy control. He said that most organizations do a good job setting policies controlling who has physical access to their facilities. Many providers are aware that they need to secure their devices, and so install some kind of antivirus and firewall software. But this may not be sufficient if the security team doesn't use the software in specific ways.
Organizations struggle most with encryption and disposal. Zeno said that he has worked with many practices that don't encrypt anything, even though encryption is relatively simple and inexpensive. This problem is often compounded because many providers don't have policies in place to govern the disposal of old computers and devices. Improperly disposing of devices containing unencrypted patient records leads to security risks.
Conducting a risk assessment can help a practice identify whether it's using these controls appropriately. Conversely, failing to conduct a thorough assessment could land providers in hot water with regulators. The OCR has signaled that it plans to continue enforcing all security and privacy provisions of HIPAA and the HITECH Act, and those who have no security review policy in place are most likely to be on the wrong end of enforcement action.