Struggling with Risk Assessments
Security Expert Offers Tips, Analyzes Survey ResultsSome 37 percent of senior healthcare information security executives taking part in the Healthcare Information Security Today survey said their organizations had no breach of any size in 2013, and 53 percent said their business associates also had no data breaches in the previous 12 months.
"I suspect there are many more breaches occurring that aren't even recognized," says Kate Borten, founder of security consulting firm The Marblehead Group, in an interview with Information Security Media Group to analyze the survey findings (see transcript below).
Detection of breaches has to involve the entire staff, she stresses. "This isn't just manager training. This is workforcewide," she says. Not only do incidents need to be recognized, they need to be assessed by the process called for in the HIPAA Omnibus Rule to determine whether the breach must be reported to the Department of Health and Human Services, she says.
While technology can help prevent and detect breaches, Borten says, "most of the organizations, if not all that I deal with, fall way short in terms ... of adequate workforce training," she says.
In the interview, Borten also discusses:
- Why organizations struggle to perform thorough security risk assessments;
- Steps organizations can take to monitor whether their security controls are working;
- Suggestions for covered entities about ensuring that the security controls maintained by their business associates and their subcontractors are effective.
Before founding The Marblehead Group in 1999, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its chief information security officer.
Breach Detection
MARIANNE KOLBASUK MCGEE: Of those respondents participating in the 2014 Healthcare Information Security Today survey, 37 percent said their organizations had no breach of any size in 2013, and 53 percent said their business associates had no data breaches in the previous twelve months. Do you think it's possible that more organizations are experiencing breaches then they realize?
KATE BORTEN: I think you're exactly right unfortunately, even though this is not a new topic for healthcare. There are still so many organizations that I encounter where they are still struggling with what constitutes protected health information. If you don't even understand that - let's say a list of patients at your practice printed out and gets dropped in the parking lot - if you don't recognize that simply a patient's name associated with your organization is PHI and has to be treated as an incident and investigated to determine if in fact that HIPAA violation ... then I think you clearly are missing out, and this is all too common. I suspect there are many more breaches occurring that aren't even recognized, and it has to be at the ground level, the individuals [recognizing the potential breach]. This isn't just manager training. This is workforcewide - recognizing what is an incident to be reported.
The second issue is: Are organizations actually identifying this is a privacy/security incident [which needs to] go through the [breach assessment] process that HHS laid out in the Omnibus Rule breach notification rule?
Improving Breach Detection
MCGEE: What do you think are the best ways for organizations to improve their breach detection?BORTEN: Technology is wonderful and I think any reasonable technology that we have we should be using. I noticed in the survey more and more organizations are actually implementing some data loss prevention or DLP technologies. The prime technology that comes out in the survey, and also if we look at the ... breaches on the [HHS] "wall of shame," there is still a lot that we have to do to get control of mobile portable devices and media. So I think encryption is something that should be a no-brainer. Not that it's trivial to implement, especially if it's not on your own devices but user-owned, but I think we have a long way to go. Too many organizations still haven't figured out "what is our policy?" "Are we going to permit our workforce to use their own computers?" And that goes down to tablets and smart phones for work purposes. ... "What kinds of protections are we going to impose?" If you're going to use your own smart phones, these are the rules you have to play by. That is a huge technological challenge that we still haven't really largely met. And my pet topic, it seems lately, is workforce training. Most of the organizations, if not all that I deal with, fall way short in terms of the content and delivery of adequate workforce training.
Breach Prevention
MCGEE: When it comes to tackling breach prevention, is there something that is most overlooked or forgotten about by organizations that they should be making better use of, or is there any sort of technology that is generally under-deployed?BORTEN: There is not one single area that stands out or one single solution. I often say, information security is a model for applicability of continuous improvement. We should be thinking of our information security programs as constant, ongoing active programs that are looking for continuous improvement - iterative processes that identify, where are the problems and what can we do better? So it's complex. Training, for example, is a very weak area and a lot of organizations don't recognize their own weaknesses in training. More organizations should be rolling out encryption. ... I come across many, many organizations that have started with, say, encrypting all their laptops and they haven't gone to the next step. That's the easiest piece and it's usually the starting point; let's encrypt all the laptops that we issue and control and configure. But that's not good enough. That is just a starting point.
Breach Fallout
MCGEE: For organizations or business associates that did have a breach in 2013, our survey shows the major impact included subsequent changes in security procedures and training. However, for some the fallout also included lawsuits, regulatory penalties, employee terminations and damage to reputation. When it comes to the fallout of breaches, what do you think organizations should be most worried about? And how should they best be prepared to deal with the aftermath of a breach?BORTEN: Your survey really pinpoints all of the issues, the variety of negative consequences that any organization ... faces with a breach. I just read that Target is facing a gazillion legal cases all over the country. Their revenue fell way on off, so they are getting a reputation hit, lawsuit hit, and all sorts of things. More and more organizations that I deal with, one change in just recent years is they are buying cyber-insurance. Each policy has to be looked at closely in terms of what would be covered. ... But that just helps alleviate a little bit of the financial hit; it doesn't really deal with things like future revenue and reputation loss, and so on. Again, the way to deal with it is reduce the likelihood that you're going to have a breach, which means a stronger information security program to begin with. Incident response plans are also a very weak area. ... So be proactive, beef up your information security program. To me, training is the most "bang for the buck," the greatest value for the dollar. Training can be used to compensate for weaknesses, say, in technology and other processes. So I just can't stress enough the value of a really robust information security and privacy training program.
Biggest Threats
MCGEE: What do you think are the biggest security threats facing healthcare entities? What threats should they be most concerned about?BORTEN: It's our own people who are most likely to be the cause of a breach. I think that is absolutely the case. For so many years, there's been so much hype about the external hackers - and it's true, they're definitely out there and they are definitely doing bad things, identity theft and so on. But for healthcare organizations and for their business associates, for most, the big threats ... come from the insiders. You have policies, you have procedures, and then you have to teach people what are the right things to do and the wrong things to do in terms of behavioral expectations.
And when people don't do the right thing - for example, when managers forget to notify the IT departments that some business associate no longer needs access [to PHI], that's not a mistake, that's a violation of the organization's policy and that could definitely lead to a breach. So I would not be as generous in simply attributing these [types of breaches] to mistakes. I'm not sure what a mistake means. There are certainly cases where it's just something bad that happened that you couldn't have prevented. But many of the things that happen inside organizations are absolutely preventable. The other issues are mobile devices, and loss and theft of such devices, and insider record-snooping. These are all, unfortunately, very real causes for concern.
Risk Assessment
MCGEE: As we all know, security risk assessments have been a weak spot at many healthcare organizations, and federal regulators have been ramping up their scrutiny of HIPAA risk assessments. In fact, this year three quarters of our survey respondents said that they conducted a risk assessment in 2013 compared with last year's survey, which found only two thirds of entities conducting a risk assessment within the last year. Do you think organizations are starting to take risk assessments more seriously? And what are the biggest mistakes that you see organizations making in their risk assessments?BORTEN: I am seeing certain covered entities stepping up risk assessments, whether they are performing internally or bringing in a consultant. And in many cases it is directly related to applying for [HITECH Act] meaningful use incentive payments. So one of the criteria for receiving the Medicare and Medicaid incentive payments is someone has to attest that yes, our organization has performed a security risk assessment as required by the HIPAA Security Rule, and we have addressed or were mitigating the significant problems we've identified. So I think that is a major driver in the past year or so and many more organizations are doing it.
But I also think that it's very distressing that this is very often the first risk assessment an organization has ever performed, despite the fact that this has been a [HIPAA] requirement since 2005. I have a certain amount of sympathy because there isn't a nice cookie-cutter approach to this. I do recommend that organizations or whoever is responsible for performing risk assessment read the NIST document to learn a little background or HHS's version to understand some basic concepts. ... So, I think it's a bit distressing or shocking that they haven't been done in the past. I'm glad that organizations are doing it now.
There are many different ways to approach [risk assessment]. As HHS says, a checklist isn't sufficient; it's common to see a smaller organization simply using some vendor checklist. To do a risk assessment really properly, you need someone, whether internal or external, who has some security background ... or somebody who is willing to put in the time to teach themselves. There are certainly a lot of resources out there. It's still a struggle for many organizations. ... this is still very problematic for covered entities as well as for business associates Many business associates are very new to this - very new to information security in general.
Security Controls
MCGEE: When it comes to organizations measuring and monitoring whether their security controls are working, our survey respondents say that they are depending on internal or external risk analysis and compliance audits. Others say they hire outside firms or assign IT staff to attempt to gain unauthorized access to their systems, and then others are using internal metrics to monitor operation and effectiveness of controls. So, what do you think are the best ways organizations can measure or monitor whether their security controls are working?BORTEN: A compliance audit and a security risk assessment are both required, and they are not required to be done once. It's not a one-off. They are required to be done routinely, periodically. They can overlap significantly. I would argue that if you do a compliance audit and you find HIPAA Security Rule requirements that your organization is not meeting, it is most likely that is also a security risk. ... There is a lot of overlap, but a security risk assessment also goes beyond what is strictly in the security rule. The HIPAA Security Rule says nothing about network security or perimeter security. There is no mention of firewalls and things like that. Both of those are required and they are distinct. I would say, in terms of penetration tests, one of the options is hiring an outside firm to attempt to gain unauthorized access. ... At least attempting to penetrate any public IP addresses that belong to your organization should be a routine process.
You might do it yourselves every other year and hire a professional in the years in between. That is not generally an extremely expensive effort. There are plenty of security companies across the country that specializes in that. hey come in, they hit those public IP addresses, give you a report with recommendations. So it's a very good confirmation that aspect of your network is well-configured and secure. They might find, let's say, a server that hasn't been patched or a poor configuration and so on. So that is very important to do, but it is also important to recognize that is simply looking at one very small piece of the entire information security program. That is important, but it is only a piece of it.
Using internal metrics to monitor controls is required in any security program. It's an area where many organizations fall down because, frankly, it is difficult and it takes resources. One thing to monitor is logs, although a lot of organizations I work with are not actually monitoring their logs. In some cases this is outsourced to security specialists, which is fine. What I recommend to all my clients is a very simple checklist and a requirement that departments or areas need to do a security walk-around, audit themselves [for] security and privacy [compliance]. In a clinical setting, in a hospital or a doctor's office, walking around to make sure that papers aren't lying around, medical records aren't just left in a storage room, network closets are locked, physicians and other staff are logging off or locking computers before walking away. It's a very, very low-tech effort, but it is important to do because that's where a lot of problems occur. So that is something I strongly recommend as a monitoring tactic. That is easy to do and should be being done in every organization.
Monitoring Business Associates
MCGEE: How do you think the covered entities should go about ensuring that the security controls maintained by their business associates and their subcontractors are effective?BORTEN: In my experience, very few provider organizations really know what is going on in their business associate's realm. The health plans or the health insurers and the large pharmacies, these are big corporations and they are typically performing audits of their business associates. So they really do have some measure of what is going on with their business associates. On the other hand, I know of no hospitals or clinics or physician practices, or those sorts of care organizations ... that are actually auditing their business associates. I think it is because they are so overwhelmed with their own needs to get their own organization up to speed. So I have sympathy, but essentially dealing with the business associates is like dealing with the Wizard of Oz behind a screen. You have no idea.
Increasingly, we are seeing some very big players become HIPAA business associates. Amazon for example, [and] Microsoft are now business associates too ... because they are typically doing a lot of hosting. But not only is it totally opaque usually when the small business associate is using Amazon [as a subcontractor], Amazon says, "Here is our BA contract. We're willing to sign ours, but we're not going to sign yours." So they're using their size and clout. So I think there is really no way that the business associate or covered entity dealing with some of these other BAs, downstream BAs, really knows what is going on.
If you are dealing with a small mom-and-pop as a business associate, I would be very concerned because it is unlikely that they really have information security expertise and understand security controls. So the whole BA question is a really tough challenge for covered entities ... We don't really know there is a lot of risk in our business associates.