Health IT owners are faced with the challenge of a growing demand to create and operate a solid electronic health record (EHR) security ecosystem. The security risk assessment needed to begin this
But do health IT owners understand the security status along every perimeter, including practices? Do they know how to "stay out of the headlines"?
The majority of health IT owners focus on securing data inside their data centers, but many chief information officers and chief medical information officers don't clearly understand or focus on the threats and issues that exist outside the data center. What measures are in place to deal with data breaches, hacker attacks and theft? What personnel, processes and technologies are needed to address these and other external factors?
Vision is one of the largest challenges facing health IT owners trying to secure their organizations. Without properly enumerating all their processes, technologies and stakeholders -- and the associated risks -- they will find it nearly impossible to design and implement proper controls. The population of a small to mid-sized health care organization can number in the hundreds or the thousands. Factor in the number of processes and technologies that that population uses, and the situation becomes overwhelming.
If a clear view can be established, control, design and implementation -- as well as information security decision-making -- become easier, and the risks to protected information assets decrease significantly.
A security risk assessment reviews existing administrative, technical and physical controls within and outside the organization. It requires analyzing these controls against best practices frameworks, and quantifying risks and gaps to create a program roadmap.
Properly followed, the outcome of the process is a comprehensive assessment of an organization's security program, a set of recommendations, and a clear roadmap and remediation plan. An assessment ensures that an organization is secure inside and out, aligns compliance and business drivers, and provides a critical view of the organization's security posture. Furthermore, a risk assessment is required to satisfy meaningful use criteria to receive federal incentives. To complete a risk assessment, follow this four-step process:
Security risk assessment step 1: Discovery
There are a multitude of drivers and objectives in every organization. Identifying these early in the security risk assessment will ensure the results are tailored to fit the organization.
A risk assessment needs to go beyond regulatory expectations to ensure an organization is truly protecting its sensitive information assets.
Such elements as fiscal responsibility, staffing, regulatory drivers, business objectives and operational drivers are must-have knowledge when security risk is being assessed. The discovery phase is where all this information -- as well as any existing documentation pertinent to people, process and technology -- will be collected. Once the documentation has been collected, it is critical that the person doing the assessment sit down with data owners or other stakeholders to understand the processes and the lifecycle of the information they use.
Discovery should be the longest phase of the risk assessment process. Ensuring that all information is collected, processes are acknowledged, and the drivers and objectives behind these processes are understood -- these provide the groundwork for a solid risk assessment with optimal value.
Security risk assessment step 2: Assessment
Here a framework is used to analyze and quantify all the collected information. Many best practices frameworks -- authored as agnostic or as regulatory drivers -- are available, most notably those provided by the International Standards Organization, or ISO; National Institute of Standards and Technology, or NIST; and the Information Systems Audit and Control Association, or ISACA.
A best-of-breed framework is recommended for risk assessment rather than a best practices framework. A best-of-breed framework ensures that applicable regulatory drivers are mapped to the chosen best practices framework. In this way, regulatory compliance can be something that is monitored and reported painlessly. Collected information is compared against the control objectives or statements within the chosen framework, and the result is a quantified current state of an organization's security posture and pertinent compliance states.
Security risk assessment step 3: Recommendation
The output of the assessment phase will be a pointed, point-by point list of the good, the bad and the ugly for an organization's security posture. During the recommendation phase, it is important to align any gaps and weaknesses with the drivers and objectives identified in the discovery phase. From there, draft the applicable recommendations to close the gaps and correct weaknesses.
Recommendations should be phased according to such categories as tactical (six to eight weeks), mid-term (two to six months), and strategic (six to 18 months or longer). Phasing recommendations this way ensures quick-fix and low-effort items are remediated immediately. Longer-term items that involve purchasing technologies or reengineering processes can be planned well and involve all the proper stakeholders.
Security risk assessment step 4: Review
Finally, once all recommendations are drafted, they should be reviewed with business units and stakeholders to ensure they are suitable and aligned with the business vision and operations.
A well-planned security risk assessment provides vision and key decision-making information to stakeholders, ensuring the protection of critical information assets. Security initiatives that are not aligned correctly with business drivers are tactical in nature and ultimately will fail. A strategic security program evolves with updated standards and legislation, organizational goals and emerging technologies.
A risk assessment needs to go beyond regulatory expectations to ensure an organization is truly protecting its sensitive information assets. Using a best-of-breed framework lets an organization complete a security risk assessment that identifies security, not regulatory, gaps and controls weaknesses. If information assets are secured, rather than simply made compliant, emerging legislation will become a checkbox instead of a tactical financial black hole.
This was first published in September 2010