Case Study: Intermountain Risk AnalysisHospital System Plans to Share Security Best Practices
As a result of the intensified risk analysis, Intermountain has dozens of security projects under way with the help of consulting firm Computer Science Corp. to improve its security practices and mitigate risks. For example, it's working on revamping employee HIPAA training, improving physical security measures and being more consistent in implementing, enforcing and documenting security procedures and policies.
Plus, Intermountain plans to develop security best practices that it will share with other healthcare organizations. It will collaborate on this effort with security experts from banks, government agencies and technology vendors.
"Intermountain was provided a vision and mission by our founders - simply it is to be a model healthcare system," says CIO Marc Probst. "Every area - clinical, financial, administrative, and, of course, information systems - takes this mission seriously. Protecting sensitive data is a key area where we should be leaders and serve as a model. Our work continues to strive to be this model."
Raising the Bar
With 22 hospitals and more than 180 clinics, Salt Lake City-based Intermountain is a dominant healthcare provider in Utah and Idaho. While its routine has been to conduct security risk assessments annually, last fall, Intermountain's leadership team decided to step up its risk analysis efforts. That's because they wanted to make certain that the organization could pass any possible HIPAA compliance inspection by the Department of Health and Human Services' Office for Civil Rights.
"We wanted to do an assessment of our OCR-audit readiness," says Intermountain CISO Karl West. While Intermountain usually has had external firms involved with its risk assessments and audits, the organization decided to engage KPMG this time. That's the same consulting firm that OCR hired to conduct the first 115 HIPAA audits under its pilot HIPAA audit program in 2012.
When OCR introduced its HIPAA audit guidance last year, "we knew we wanted to be prepared," says West, especially in light of predictions that OCR would increase its number of audits in coming years. In the meantime, OCR also has been stiffening enforcement actions and issuing seven-figure monetary settlements against some healthcare providers following data breach investigations (see: HIPAA Breach: The CSO's Perspective).
"We looked at what was happening with fines and penalties and the failures [spotlighted] by OCR [at other organizations] and saw that something is wrong in the healthcare industry," especially in terms of how risk assessments are being done, West says
KPMG told Intermountain that its risk assessment couldn't use the exact proprietary audit protocol that was developed for the OCR program, West says. "But we did ask them to do a detailed assessment ... with the mindset of identifying all risks that would be exposed in an OCR audit." (see: HIPAA Protocol Lacks Meat).
"The risk assessment completed by KPMG was timely and important to Intermountain Healthcare," Probst says. "As the OCR provides further guidance and interpretation of the HIPAA requirements, we are finding areas of greater emphasis and associated security requirements. By working with KPMG, we have gained an even greater understanding of these requirements and the steps we need to take as an organization to better protect the sensitive and important data our patients, members, employees and others have entrusted to us."
Room for Improvement
KPMG's assessment, which took about five months to complete, uncovered a range of areas that needed attention, West says. Some of the findings were typical of what other healthcare organizations tend to do wrong, West says. "Based on the healthcare industry's interpretation of HIPAA, we were doing great. But based on OCR's interpretation, we were off the mark [in many areas] that need change through remediation."
For instance, among the more significant findings was that "policies and procedure language gets loose, instead of being strict," West says.
The risk assessment spotlighted a lack of consistency in policies and procedures in areas ranging from employee HIPAA training to encryption and physical IT security, West says.
So the security projects under way - which West says will in total will cost "multi-million" dollars - include work aimed at remediating those issues. About 80 percent of the remediation work to mitigate risks will be addressed by the end of 2013, and the last 20 percent, which includes more complex projects, might take a few years to complete. That multi-year work includes redesigning Intermountain's network and encrypting data at rest in data center computers, West says.
Most healthcare organizations prioritize the protection of electronic health information based on the source of the data, West says. So many won't use the same level of protection on PHI in an application that's used by a handful of workers in a small department as they would for applications and data used by thousands, he says. But under HIPAA, all systems that have PHI need to be identified and be protected, he notes. "And if the data isn't protected that same way, you have to document why you did something differently", he adds.
"We had identified all systems and ranked them [by risk] and put protections on them. But we needed to document the way we protected A versus B," he explains.
So Intermountain now will document several levels of data protection. Based on risk, the organization will determine how best to implement access monitoring, software and hardware intrusion detection and data loss protection on servers and critical systems.
For instance, the risk analysis is helping determine whether Intermountain passwords for specific systems should expire every 30, 60 or 180 days.
"Every enterprise has an ID process, but there needs to be ongoing risk assessment," he says. "If the scoring for risk assessment changes, then we need to apply the appropriate protection."
Intermountain also is tackling physical security issues.
For instance, its largest facilities have had "wiring closets that are locked and electronically monitored," West says. "But the smaller, rural facilities don't have electronic surveillance of those closets, and that's a problem. We need to have that protection even in the smallest facility," because a breach of any closet can put patient data at risk, he notes.
The risk assessment also showed that Intermountain's policies and procedures for HIPAA training, especially for compliance with the security rule, needed improvement, West says.
Although Intermountain offers HIPAA compliance training annually, "we couldn't identify who took the training because it wasn't logged," he says. "You must track who took training and the policies and procedures you have in place."
For instance, Intermountain had privacy training in different formats, but didn't log who completed each type of training. Also, some of its training was offered through e-mail reminders and stories in the organization's in-house magazine, "but none of that is considered sufficient," West says.
All Intermountain employees now have to take four basic components of formal HIPAA training, and records of that training are being logged for each person. In addition, depending upon the worker's role, up to seven additional training components must be taken. For instance, a systems administrator might be required to take all 11 components, while those who work in housekeeping or financial administration might be required to take fewer components.
And there are sanctions attached to the training; penalties range up to firing those who fail to comply, West says.
In addition to its own security remediation work, Intermountain wants to take a leadership role in helping develop healthcare data security best practices, West says. It will collaborate on this effort with security experts from banks, government agencies and security vendors.
The 12 areas of security best practices Intermountain plans to address are:
- Asset management;
- Business continuity management;
- Communications and operations management;
- Human resources security;
- Information security incident management;
- Information systems acquisition, development and maintenance;
- Organization of information security;
- Organization of information technology;
- Physical and environmental security;
- Risk assessment and mitigation;
- Security policy.
"We want to be on the leading edge of protecting ePHI ... have a leadership role as we move forward," West says.
Kirk Nahra, a privacy and security attorney at Wiley Rein LLP, lauds Intermountain's efforts. "Any reasonable steps that can be taken that can improve security are always good," he says.
But Intermountain's leadership efforts could bring new risks, he warns. "Being a role model is a good thing, but it can also be problematic - sometimes you set yourself up as a target," he says.