As CISO for Clearwater, I am responsible not only to internal stakeholders, but to customers as well. We take very seriously the responsibility to implement the processes and controls necessary to meet and exceed the requirements of our customers and ensure the data we interact with remains secure and private. In this blog and others that will follow in the series, it’s my goal to share insight on how we think about and approach the security of our solutions with other organizations that serve as Business Associates (BA) in the healthcare industry.
Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Omnibus Rule in 2013, more focus and liability has been placed on BAs – those organizations that provide products and services to healthcare providers and payers that are defined as covered entities under HIPAA. Expect these trends to continue as breaches that involve third parties continue to escalate. Review of the Office for Civil Rights (OCR) HIPAA Breach Reporting Tool data[i] through the end of January 2021 reveals that 33% of reported breaches involved a business associate. BA-driven breaches have an outsized impact, accounting for 54% of affected individuals. In both 2019 and 2020, the biggest reported healthcare data breaches were caused by a BA.
The following elements are critical for BAs to address, not only from a HIPAA compliance perspective, but also from the standpoint of protecting your organization’s reputation, reducing the likelihood and impact a breach should it happen, and better serving your customers.
Risk analysis and risk management are not only required for compliance with HIPAA regulations, but they will also provide the baseline to develop a strategic roadmap for the selection and implementation of controls.
Technical controls are designed to reduce the risk associated with the protection of electronic protected health information (ePHI) and other sensitive information to levels within the risk tolerance of your organization. Controls include data protection and encryption, access controls, virtual network segmentation and protection, system hardening (secure configuration), log management, aggregation, analysis and monitoring control effectiveness. It will help to rely on a control framework such as the NIST Special Publication 800-53[ii] and the NIST Cybersecurity Framework, HITRUST Common Controls Framework (HITRUST CSF), International Organization for Standardization (ISO®) 27000 series, and the Center for Internet Security (CIS) controls.
In addition to the requirements of your Covered Entity customers, and HIPAA, HITECH, and the Omnibus Rule, you will also need to comply with a litany of state privacy and security regulations. If you intend to provide data access to residents of countries other than the United States, there may be additional country- or region-specific legislation to note, including the European Union General Data Protection Regulation (GDPR).
Covered Entities maintain inventories, perform risk assessments, and protect themselves contractually through the use of business associate agreements with their vendors. It is imperative that you protect your organization with the same level of diligence as the covered entities you serve.
5. Secure Application Development Processes
Adoption of security requirements within all phases of the software development lifecycle is critical to meet the requirements of covered entity risk assessments and to protect your customers data. Adoption of a standard methodology will be crucial in your ability to produce a secure application. The Open Web Application Security Project (OWASP) Secure Coding Practices and the Microsoft Trustworthy Computing Security Development Lifecycle are two such methodologies. The next step in the process is to assess the maturity of your development processes using an established model, such as the OWASP Software Assurance Maturity Model or the Building Security in Maturity Model (BSIMM).
In the coming weeks, I will provide further insight around these subjects, as well as topical information about the threats and vulnerabilities that are relevant to your organization. For this first post, I share my views about risk analysis and risk management processes.
In the 95 enforcement actions involving ePHI pursued by the OCR to date, 89% of organizations failed to conduct a sufficient risk assessment[iii]. Over 50% of the Corrective Actions Plans issued by the OCR required organizations to conduct risk analysis periodically and establish a comprehensive risk management plan and process. Beyond the compliance aspects and potential fines, the risk management program is an effective methodology to determine both tactical and strategic initiatives for your organization.
HIPAA regulations and guidance from the department of Health and Human Services (HHS) and the OCR do not specify a framework required for risk analysis and risk management; however, Clearwater believes the Special Publications from the National Institute for Standards and Technology (NIST) are best suited for the program. They are available at no cost, and OCR is very familiar with them. The following Special Publications are valuable for development of a comprehensive risk management program:
- SP 800-30 – Guide for Conducting Risk Assessments
- SP 800-37 – Guide for Applying the Risk Management Framework
- SP 800-39 – Managing Information Security Risk
NIST SP 800-39 defines a four-phase risk management process:
The risk frame defines your organization’s approach to risk management, including risk appetite, assumptions, constraints, and priorities.
To assess risk, you must catalog your organization’s assets, document the threats to those assets, document the vulnerabilities to those assets, and the effectiveness of the controls in place to reduce the likelihood negative events will happen, and impact of those events.
At Clearwater, we use the IRM|Analysis® Software-as-a-Service application to map threat actors and threats, to vulnerabilities, assess control effectiveness, to organization assets. Each of these maps is referred to as a threat scenario. For each scenario, we rate the likelihood that the threat is realized and the impact to the organization if it does. Each factor is rated on a scale of 1 to 5, with a 5 being the most severe outcome or the most likely event. Risks will be rated on a scale of 1 to 25. A risk rated at most likely to happen (5) times the most severe outcome (5) gives us a risk rating of 25.
This Clearwater on-demand webinar on How to Conduct an OCR-Quality Risk Analysis is a helpful resource for learning more about assessing risk.
Risk response is method that your organization will chose to treat an identified risk that exceeds the risk appetite defined as part of risk framing. There are four options for risk treatment:
- Mitigate the risk – Improve the security controls or value of an asset to reduce the risk below the risk threshold.
- Avoid the risk – Retire/discontinue use of the asset.
- Transfer the risk – Retain cybersecurity insurance to cover the costs related to the risk should they be realized.
- Accept the risk – Risks below the identified threshold are inherently accepted. Acceptance of risks above the threshold must be given by the Board of Directors or Executive Management. Ignoring a risk is risk acceptance.
For a deeper dive on this subject, I invite you to review the Clearwater white paper From Risk Analysis to Risk Reduction: A Step-by-Step Approach.
Risks levels are not static; the risk environment is constantly changing. Residual risk levels change as control effectiveness improves or degrades. Threats and threat actors are evolving. The value of assets may increase or decrease. It is crucial that control effectiveness, asset valuations, and new vulnerabilities added to the risk rating calculations on an ongoing basis. Full and incremental risk analysis should be conducted periodically.
Again, we have a helpful on-demand webinar on this subject I encourage you to review for a deeper understanding of risk monitoring.
Success for Business Associates in the current business climate and threat landscape is a constant struggle. It takes focus, perseverance, and flexibility. Threats and priorities change continuously. Effective risk management processes are the key to ensure resources are leveraged against the most impactful tasks.
I hope you’ve found this brief perspective to be useful. I welcome your comments and questions. Please reach out to me at henry.sprafkin@clearwatercompliance.com.
Look for another blog coming soon on the selection, implementation, management, and monitoring of technical controls, another key piece of a BA’s cybersecurity and HIPAA compliance program.
[ii] NIST Special Publication 800-53 Rev. 5 (https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)