Is there a more challenging position anywhere in information security than that of a healthcare organization’s cyber risk management leader? If there is, I can’t think of what it would be. Whether your title is CISO, CSO, CTO, CIO or some variation thereof, the task is daunting.
As we mentioned in Part 1 of this series, healthcare as an industry has a huge target on its back. Cyber attackers focus on healthcare not only because patient information is valuable, but also because patient lives are at stake. That can make threats such as ransomware attacks more effective. Cyber attacks in other industries – banking, for example – can have devastating financial consequences, but people’s lives aren’t generally at risk, as they are in healthcare.
At the same time, healthcare IT environments are exceedingly complex, which makes managing information security that much more complicated. The healthcare IT ecosystem typically includes dozens – if not hundreds – of applications, including the electronic health record (EHR) system, administrative and operational applications (scheduling, patient tracking, billing, claims, insurance and payer systems and interfaces), clinical applications (patient monitoring systems, radiology information systems, lab results reporting, clinical decision support, patient portals, etc.) and others too numerous to mention.
On top of this, add the countless devices that connect to a healthcare organization’s network, from the desktop computer at the registration desk, to the tablet the physician or nurse uses, to the smart infusion pump at the patient’s bedside, to BYOD devices like the smartphone a patient uses to access lab results through a patient portal.
Enterprise-wide Cyber Risk Assessment
Because of this complexity, no single “shiny object” or new security tool will be sufficient to mitigate all of the critical information security risks in a healthcare environment. As we discussed in Part 2 of this series, the only way to approach cyber risk management in a complex healthcare organization is to begin with a comprehensive, OCR-quality, security risk assessment and analysis.
Healthcare organizations must conduct this type of analysis in order to be HIPAA-compliant. But just as important is the fact that healthcare organizations cannot begin to develop a meaningful and effective cyber risk management program without first gathering the information that a comprehensive risk analysis provides.
As mentioned in the previous post, a security risk analysis essentially boils down to three tasks:
- Identifying risk
- Rating risk
- Prioritizing risk
The HIPAA Security Rule, OCR Guidance, and resources developed by NIST provide plenty of details on how to properly conduct a risk assessment and complete these tasks. These resources are freely accessible on the internet. In theory, any healthcare organization could use these resources to conduct and complete an OCR-Quality Risk Analysis® without any outside support. However, that’s easier said than done.
Task 1: Identifying Risk
Risk identification begins with creating an information asset inventory that documents each asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI). This includes not just the obvious choices, such as laptops, servers, and enterprise applications, but also less obvious choices, including medical devices, backup media, and nonclinical, internet-connected assets such as building management applications and networks.
A typical healthcare provider has hundreds – if not thousands – of individual information assets that need to be documented.
One way to accomplish this is to create an enormous spreadsheet, starting from scratch. A simpler way is to leverage a solution such as Clearwater’s IRM|AnalysisTM. Clearwater’s IRM|AnalysisTM includes an easy-to-use ePHI inventory system that uses data upload and guided data entry to help healthcare organizations rapidly develop a comprehensive, customized information asset inventory.
As noted in my previous post, creating an asset inventory is only the first step in risk identification. Risk has three components: an asset, a threat and a vulnerability. OCR guidance specifies that healthcare organizations must identify and document threats and vulnerabilities to each asset, in addition to creating an inventory of information assets.
If you are creating your asset inventory in a spreadsheet, you would need to start with a minimum of three columns for each asset in order to document the asset, each potential threat to the asset, and the vulnerabilities associated with each threat. Clearwater’s IRM|AnalysisTM speeds up this process by using a proprietary algorithm to suggest vulnerability and threat scenarios associated with each type of information asset. This takes the guesswork out of the process and ensures a more comprehensive assessment of risk.
Task 2: Rating Risk
Once you have exhaustively inventoried every aspect of risk – including every asset, and each of the threats and vulnerabilities associated with each asset – the HIPAA Security Rule and subsequent OCR guidance specifies that you must also estimate the likelihood (probability) and impact (magnitude of loss) of potential harm from each asset/threat/vulnerability combination. This is the risk rating.
NIST provides guidance for these tasks. NIST SP 800-30, Appendix G, includes several examples of assessment scales related to threat event likelihood. Appendix H, in the same publication, offers examples of scales for measuring impacts.
Clearwater’s IRM|AnalysisTM includes a risk register based on best practices and on specifications in HIPAA regulations, OCR guidance and NIST resources. The solution’s built-in risk register simplifies the process of assigning a risk rating to each asset/threat/vulnerability scenario and facilitates consistency in rating risk across the enterprise.
Task 3: Prioritizing Risk
After all information assets have been identified; after all potential threats and vulnerabilities have been documented; and after the likelihood and impact of each asset/threat/vulnerability combo has been calculated, each asset/threat/vulnerability combination will have an assigned risk rating. As illustrated in the table above, Clearwater’s IRM|AnalysisTM uses a 25-point scale to rate risk. The higher the rating, the higher the risk.
As part of the cyber risk assessment/analysis process, every healthcare organization should establish a risk threshold. Establishing a risk threshold is part of the information security governance process. The risk threshold will be unique to the organization and will take into account the organization’s unique risks and resources. For example, using the 25-point scale from the figure above, one organization might establish 15 as their threshold, meaning that any risk with a rating of 15 or below falls into the acceptable risk category, and will not be a priority with respect to mitigation.
A comprehensive information security risk analysis, combined with the organization’s established risk threshold, enables a healthcare organization to make informed, strategic decisions about which cyber security risks require urgent mitigation versus those that can be put on the “back burner” until more resources are available.
The Bottom Line
Conducting a comprehensive risk assessment is necessary for both HIPAA compliance and for establishing the foundation for a healthcare organization’s enterprise cyber risk management system (ECRMS). It is challenging, but not impossible, for a healthcare organization to conduct this analysis using only internal resources and guidance that is available on the internet.
Alternatively, healthcare organizations can use the specialized solutions and professional expertise offered by Clearwater Compliance to quickly and efficiently conduct a comprehensive cyber risk analysis. Because ultimately, completion of the analysis is only the first step.
The sooner a comprehensive security risk analysis is completed, the sooner a healthcare organization can begin addressing vulnerabilities and mitigating high priority risks. That is why it can make sense for a healthcare organization to leverage the solutions and services offered by Clearwater Compliance to assess risk, prior to establishing an enterprise cyber risk management program.