The HIPAA Security Rule1, as well as the National Institute of Standards and Technology (NIST) and other standards, stipulate that a risk analysis and risk management process should be ongoing, and not performed at a single point in time. However, many healthcare organizations treat risk analysis as a once and done process. The Office for Civil Rights’ (OCR) “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule2” is based on NIST SP 800-30 Guide for Conducting Risk Assessments3 and further emphasizes the requirement for continuous, ongoing Cyber Risk Management.
When systems, technology, or processes change, an organization’s risk posture becomes obsolete, leaving the possibility that current controls no longer adequately address significant risk. In order for a healthcare organization to update and document its security posture appropriately, it should be conducting risk analysis as a part of its ongoing operational security program.
Adding New Systems to the IT Environment
A best practice risk analysis and risk management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. For example, if an organization is planning to incorporate new technology to make operations more efficient, the potential risk should be analyzed to ensure that all healthcare data, systems and devices are reasonably and appropriately protected.
An Enterprise Cyber Risk Management Software (ECRMS) platform, such as Clearwater’s IRM|Pro®, provides a mechanism to efficiently perform a risk analysis before the new technology is brought online. This is consistent with NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations | A System Life Cycle Approach for Security and Privacy,” which aligns the risk analysis and risk management process with the system development life cycle 4.
The ECRMS will identify the risk scenarios and required controls to mitigate risks appropriately and enable “authorization to operate” and “authorization to use” decisions to be made when risk ratings fall within the organization’s risk appetite. As a result, the organization can factor the cost and effort to implement these controls into its budget and project plan, while also meeting required regulations and OCR’s expectations.
Changing Use or Scale of Systems
An ECRMS enables an organization that materially changes the use of a system to seamlessly reassess risk in accordance with any additional impact that may be relevant to the change in scope. For example, consider a workstation that may have been previously risk-analyzed for use in one department, with access to only hundreds of patient records, that is now integrated into the EHR system, providing access to tens of thousands of patient records. This device should be risk-analyzed again to consider whether there is an increase in risk as a result of the additional harm that could be caused.
Adapting to New Threats and Vulnerabilities
In addition to changes in technology, organizations must consider new threats and vulnerabilities as they are discovered. The risk landscape is changing on a daily basis5 as new threats and vulnerabilities are determined to be reasonably anticipated to certain environments. A key benefit of IRM|Pro is that it provides periodic updates to its algorithm so the organization can assess (1) whether the current controls continue to be appropriate, (2) if the current controls provide the same level of risk reduction, (3) if any additional controls are appropriate and the extent to which they are in place, and (4) the resulting risk rating based on all of the above.
An ECRMS platform provides the capability of managing cyber risk as an on-going process, rather than at a point-in-time. As a result, the healthcare organization can be confident that its risk posture is up-to-date and accurate. Any new high risks are identified and therefore can be treated by the healthcare organization.
1. U.S. Dep’t of Health and Human Servs., The Security Rule. Accessed September 1, 2019. Available at https://www.hhs.gov/hipaa/for-professionals/security/index.html↩
2. U.S. Dep’t of Health and Human Servs., Final Guidance on Risk Analysis, available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index.html (accessed Apr. 25, 2018).↩
3. National Institute of Standards and Technology (NIST), Guide for Conducting Risk Assessments, SP 800-30, Rev. 1 (Sept. 2012), available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.↩
4. NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations | A System Life Cycle Approach for Security and Privacy. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf↩
5. https://www.symantec.com/security-center/threat-report↩
