As my colleague Alex Masten did an excellent job of describing in another recent Clearwater blog, the HIPAA Security Rule maintains that a risk analysis must be performed as new systems and technologies are implemented, or there are any material environmental changes. The new systems and processes should be analyzed to ensure patient data is reasonably and appropriately protected and existing security measures are reasonable and appropriate to protect against the risks associated with evolving threats and vulnerabilities.
But from both a regulatory and a security perspective, it’s not enough to simply perform a risk analysis. The HIPAA Security Rule requires and today’s rapidly evolving threat landscape demands that organizations respond to the risks identified appropriately and effectively.
It’s not about throwing some new control – whatever is hot on the Internet, some response to ransomware – at the problem. The problem is broader than that. Cyber risk management involves identifying threats and vulnerabilities and knowing what your risks are so you can invest wisely in responding to them.
And in the unfortunate event of an Office for Civil Rights (OCR) investigation, they will be looking for evidence that the organization has implemented security measures to appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating, and that such security measures are sufficient to reduce identified risks to an acceptable level.
OCR is going to want to see that there’s rigor applied in your risk management plan, and they’re going to want to see documented evidence of it. It’s very hard to put that together after the fact. We’ve seen that with organizations scrambling to find evidence to document the controls they’ve got in place. So rather than scrambling and having ten days sometimes to respond to an OCR letter, we strongly recommend that you have an ongoing risk response process.
Determine Your Risk Threshold
Before getting into what constitutes an effective risk response process, let’s pause for a moment and ask a question. Do all risks require a response?
Well, not every risk requires an action. If you rate risk on a scale of 1 to 25, and upon evaluating a risk, you find it has a rating of three, that risk doesn’t necessarily need mitigation. That’s a less critical risk and you have bigger fish to fry, as they might say. But all risks do need a response.
Risk response requires setting your risk threshold and understanding your risk appetite. It requires real risk analysis as a foundation. Risk response is about informed decision making.
Having a thoughtful process of documenting what your risk threshold is, is very useful for two reasons. One, it shows that you’re using your security dollars thoughtfully, on the basis of a real analytical process. Number two, it shows that you have a governance process in place and you are giving thought to what is the right level of risk for your organization.
I have often talked to organizations, and they say, “We’ve got the risk register. We’ve got all these risks. There’s no way we can possibly address all these.” You don’t address all of them. That’s really not a thoughtful, wise approach. But documenting what is the level you’re going to accept risk at and what is the level of risk you’re going to require treatment at is setting your risk threshold. That’s a thoughtful governance and cyber risk management approach.
It’s not a decision that should be made by an engineer in the bowels of the IT organization. It should be made by those who have ownership of security and privacy for the organization.
Understand Your Response Options
Once the risk threshold is determined and risks are analyzed, what are the options for effective risk response? As I just described, risk acceptance is the appropriate risk response when the identified risk is within the organization’s risk tolerance. But you shouldn’t just accept the risk and not document it. Documenting that you’ve accepted a risk and it’s within your tolerance is the complete and effective response.
Risk avoidance is a very valid option, and it involves taking specific actions to eliminate the activities or technologies that are the basis for the risk. If a particular laptop, for example, is a source of risk because it’s out of date, the recommended risk response would be to decommission the laptop and get some new ones.
With transfer, it shifts the risk liability from one organization to another, for example, using insurance. But keep in mind that while insurance offsets the financial impact of a risk, it does not offset all of the impacts of a risk and it’s only a partial way of treating risk. Responses can be done in combination. You might decide to mitigate and transfer at the same time. That’s not unusual.
Risk mitigation is the response we typically think of when discussing how to manage risk. If you can’t accept the risk and you can’t avoid it and you can’t transfer it, then you need to take some action to mitigate the risk by applying appropriate controls.
Evaluate the Alternatives
Having defined our risk response options, let’s turn our attention to evaluating alternatives and consider what that means. When you look at the NIST standards, they outline two key ways of evaluating alternatives.
The first is in terms of effectiveness, the expected effectiveness in achieving the desired risk response. It may include building in additional controls beyond what you currently have or increasing the strength of an existing control, enhancing what you’ve got rather than adding new.
You balance effectiveness with feasibility. The anticipated feasibility of the implementation. Cost is the obvious thing that comes to mind when you’re looking at a new control or an enhanced control, but don’t forget the mission, legal, technical and operational considerations. Undoubtedly, for those of us in healthcare, we’re all very aware of the fact that sometimes new controls can affect the clinical workflow and those impacts on the clinical workflow, doctors, nurses, and the work that they’re doing are an important consideration. But it can’t be the only consideration.
Organizations used to say we can’t share passwords, so we have to tape the password to the laptop on the screen of the laptop so whomever walks up knows the password and can use the laptop. We’ve all begun to realize that that’s no longer a viable way of maintaining and safeguarding sensitive data. It was really easy from an operational perspective, but not very effective from a security standpoint.
Make an Informed Decision
Let’s now go into a little more detailed example on risk mitigation. We’re going to look at a risk for laptops again. Laptops are the gateway to your claim payment system, your electronic health record system, and other systems that contain protected health information. There’s a looming threat of system crackers and social engineering, and there’s a potential vulnerability around untrained, untested staff.
What are we going to do from a risk response perspective about this risk? At a significant risk rating in our risk register, there are a whole number of options we could look at. You could think about things like access logging, information disclosure procedures, log aggregation analysis, security and privacy awareness training, and social engineering testing – all are really good safeguards for this particular vulnerability.
We did a risk analysis. We looked at those controls and we determined that a number of them, in this case for this particular asset, were not in place. Access logging was not in place. Log aggregation analysis was not in place. The next steps is to look at the various controls and consider should I be adding these, should I be enhancing these? Which of these things should I be doing?
For each of the controls, you want to think about effectiveness, cost, and feasibility. Within our IRM|Analysis™ software we use a five-point scale rating the control from highly effective all the way through not at all effective. We evaluate feasibility on a five-point scale as well. It’s also important to document the costs for each of the controls.
All of these things help you determine what is a good course of action for reducing this risk. Something might be rather expensive and you can’t do it this year, but there are some things you can do. You’re not forced into the response of, “I’ve got to do all of them.” Doing all of them is not very practical in most cases. Doing none of them shows a lack of diligence. But selecting from these alternatives based on an informed understanding of effectiveness and feasibility and cost, that’s a thoughtful approach that anyone reviewing your risk management program most certainly will appreciate.
To learn more about how IRM|Analysis can enable an effective risk response process, building from a comprehensive risk analysis, review the Clearwater on-demand webinar From Risk Analysis to Risk Reduction: A Step-By-Step Approach or visit https://clearwatercompliance.com/irmpro/irmanalysis/.
Reach out to our team with your questions at info@clearwatercompliance.com