At least 44% of healthcare organizations have experienced a breach in the past 12 months, with 74% of respondents attributing the breaches to giving too much access privileges to third-parties.
– A Crisis is Third-Party Remote Access Security, SecureLink and Ponemon
Technology is rapidly changing and as healthcare organizations work to position themselves to meet the complex needs of their patients, we’re seeing a rapid acceleration toward digital transformation that’s increasing burdens for IT, security, compliance, privacy, and risk management teams.
More technologies mean, in simple terms, more risks and vulnerabilities-and as a result more challenges-for protecting and securing protected health information (PHI).
And while some may think the onus falls solely on the shoulders of healthcare providers to secure PHI, in reality it’s a partnership between healthcare covered entities and all of the business associates they work with that may create, receive, store, or transmit this sensitive and important data.
Unfortunately, the rapid acceleration of this digital transformation goes hand-in-hand with increased risks, as we’re seeing across the industry with a growing number of ransomware attacks, millions upon millions of record exposures, and third-party breaches reaching an all-time high.
These successful breaches mean now, more than ever, healthcare organizations and their technology partners must work together to increase their standards to safeguard PHI, and build effective and compliant cybersecurity, privacy, and risk management programs.
As healthcare’s attack surface expands with the adoption of more and diverse technologies to improve patient care and service delivery, it creates opportunities for more-and new-exposures. Today, the industry constantly faces emerging threats, while security and compliance teams struggle to manage an overwhelming volume of known and existing security vulnerabilities and other risks.
Take, for example, the increasing number of successful ransomware attacks on healthcare organizations and their business associates since the start of the pandemic, and couple that with the growing number of healthcare breaches attributed to third-parties.
In fact, according to the report, “A Crisis is Third-Party Remote Access Security,” released by SecureLink and Ponemon, at least 44% of healthcare organizations have experienced a breach in the past 12 months, with 74% of respondents attributing the breaches to giving too much access privileges to third-parties.
This demonstrates just how much healthcare struggles to understand and address PHI risks across its digital supply chain, with more than 50% of respondents in the SecureLink/Ponemon study stating their organization doesn’t assess third-party security or privacy practices before giving them the ability to access sensitive data.
That outlook gets even murkier when you add in the number of new technologies now used by patients to support delivery of portable medical services-think wearable monitors and other devices to ensure continuity of care beyond the confines of a medical facility. It’s incredibly difficult for most healthcare organizations to monitor and secure these devices once they’re taken off premises, and in some cases it’s nearly impossible for security teams to manage these endpoints for patching, updates, and other security issues.
The emerging threats for healthcare don’t stop there. For example, a growing number of organizations have adopted cloud-based solutions for many of their day-to-day operations. It makes sense since this is often a more convenient and cost-effective data solution, but some organizations don’t have a real grasp on related risks, especially when it comes to PHI stored in a multi-tenant environment compared to a private cloud.
Managing the Challenges of a Complex Landscape With Decreased Visibility
All of these emerging threats add up to increased challenges for IT security and privacy professionals. That’s because the environment and threat landscape-and management-is complex.
The reality is some large healthcare organizations-even those with asset inventories-don’t know about all related risks because they just don’t have a good handle on all the assets they have, how they’re used, what data they access, and who uses these devices.
And because these environments are more complex, they require increased specialization and resources to manage those risks. Today, healthcare organizations need a range of professionals-in an industry where skilled professionals are hard to come by- such as cloud security experts, network experts, compliance and privacy specialists, and others.
That’s why many healthcare organizations still don’t address vendor risk-their teams are too overwhelmed managing security and risks within the organization itself. It’s another reason collaboration between healthcare covered entities and business associates to protect PHI is so important.
A Vendor Perspective
From a vendor standpoint, there are some areas where these companies can step up and demonstrate to their covered entities their abilities and commitments to securing patient data.
Where does that begin?
According to Jon Moore, Chief Risk Officer and SVP Consulting Services at Clearwater, it starts from the top down with a clearly defined and well-articulated mission statement and values.
Moore recently chatted about the challenges healthcare organizations and vendors face in a special panel discussion, “Securing Healthcare’s Digital Transformation: Provider and Vendor Perspectives,” with Kezia Cook-Robinson, Senior Privacy Counsel, Verily Life Sciences, an Alphabet Company; and Jackie Mattingly, Chief Information Security Officer, at Owensboro Health.
Cook-Robinson advises these vendors ensure that privacy-by-design principles are reflected in their values and business code of conduct, “and that these principles flow down to the tech companies’ management, or their IT infrastructure, as well as their security and engineering operations.”
This extends beyond best practice into actual products that deliver services to healthcare, for example, ensuring products are user-focused and how they intake, use or retain PHI, which should always be consistent with intended use.
That includes a solid understanding of all the compliance, legal and regulatory standards associated with that data usage, as well as ensuring they’re in tune with their customers’ (healthcare) pain points.
“This should not only be embedded in their product design and functionality, but also made a part of business operations,” Cook-Robinson said. “Tech companies should also be intentional about the management of the full product or service lifecycle from a security perspective, and they should adopt a reasonable risk-based approach as part of their program across the enterprise… Before you can demonstrate to your users and to your customers that you really want to keep patient data secure, it starts at the enterprise level, from the top down.”
Using Frameworks and Standards to Minimize Security and Compliance Risks
So how do healthcare organizations and vendors work together to accomplish these goals?
Moore advises that a best practice is to consider adopting and implementing a framework to minimize security and compliance risks. Obviously, HIPAA mandates and Office for Civil Rights (OCR) guidance is important here because of PHI, but other frameworks can also help establish and mature security, compliance, and risk management programs, for example the NIST Cybersecurity Framework and more recently guidance from the Health Sector Coordinating Council Joint Cyber Security Workgroup for 405(d).
“I think those are the two best frameworks for organizations to look to,” Moore said.
Developing Reliable, Repeatable Processes
Beyond framework implementation and management, what can organizations do to create repeatable processes to make security and compliance risk management related to digital transformation more programmatic and more embedded within operations?
A recommendation to consider: After implementing a framework, look for ways to build on those frameworks. Make them actionable.
Ask your team: How do we go from this framework to processes, procedures, etc. we need to engage in on an ongoing basis for effective security?
And don’t forget about your people.
You can have all the best processes and procedures on paper, but you need the right people understanding and doing the right things to keep your program operating effectively, even as your environment changes.
Questions to consider:
- How do we embed those processes with our people to make sure processes occur as they should?
- Would your organization benefit from ticketing systems and other approaches that automate your regular security procedures and processes?
- Do you have a principle-based policy governance approach to facilitate framework implementation that also allows your organization to work down through from a high-level perspective to specific procedures and guidance?
“It’s important to have a good framework that the organization has agreed upon,” Mattingly elaborated, “so that you can have a good security posture, and then stay at the forefront of continuous, enterprise-wide risk assessment.”
From there, your organization can expand and mature your program with continuous assessments, adaptability, and flexibility, using your frameworks as an infrastructure or starting point for your security, compliance, and risk management programs.
“But,” Cook-Robinson added, “until there are enterprise-level processes that govern conduct across all business units and products and services, an organization will not be able to create repeatable processes to make the management of security and compliance risk more programmatic and embedded within healthcare operations, especially with tech companies. Tech companies must be proactive in terms of identifying the security and compliance risks associated with the use of technology and digital health.”
Engaging Senior Leaders and Key Stakeholders
And while frameworks are a great starting point, another critical component is developing an organizational culture where security, compliance, and risk management are part of the day-to-day of doing business-for both covered entities and their tech business associates. This includes investing time and effort into building relationships with executives and key stakeholders so they remain engaged with your program and also understand what you’re trying to achieve as your threat landscape expands and your organization evolves.
“So, really, [it’s] identifying the security and compliance risk associated with the use of technology and digital health within the organization and maintaining a risk management plan at the enterprise level where senior leaders within the organization have visibility into these risks,” Cook-Robinson explained. “Not just performing risk analysis within one business unit, but it should be at an enterprise level-so enterprise-level risk assessments across all business units and for all products-which will feed into that enterprise risk management plan.”
This engagement and executive support can then help you create enterprise-level policies, processes, and standards, as well as controls related to security and compliance risk.
Provider and Vendor Collaboration to Protect PHI
When we talk about the united front healthcare organizations and vendors must create to protect PHI, it’s about developing a keen understanding of what these programs look like for both your healthcare organization and your vendors.
“Providers need the vendors, and vendors need the providers because … a lot of the outsourcing of services that providers are using vendors for is really to help them increase their efficiencies within their own healthcare operations,” Cook-Robinson said. “And so it really does take making sure that both the providers and the vendors are communicating with each other and are collaborating with each other.”
Some important questions for tech companies to consider as part of this collaborative process:
- What’s the compliance landscape for the providers?
- What are the biggest security pain points for providers?
- How can our products address some of these pain points?
Why is this collaboration important for both providers and business associates?
With digital transformation, we’re seeing more and more data sharing, not just within a single organization or medical group, but with other organizations as well, and often this data may exist within multi-tenant environments where a risk within one organization could lead to lateral movement to other organizations within the same environment.
“We’re going to have to communicate and discuss how that data is going to be kept safe, not only internally to the organization, not just for IT, not just for the health information management department, not just for privacy and security, but organization-wide,” Mattingly points out. “We need to understand, across the board, how that data is kept safe.”
And from a vendor perspective, it’s important to remember these business associates are managing different expectations for all of their customers simultaneously. That could be as simple as no security or compliance questions at all to 300-page questionnaires digging into programs, processes, and documentation expectations.
Interestingly, this issue-how to effectively and efficiently vendors respond to customer security, compliance, and risk management questionnaires-is creating a unique business problem in itself, and it’s one that needs continued focus and improvement.
The answer may very well be in a software platform, such as Clearwater’s IRM|Analysis®, that helps both healthcare providers and their business associates build stronger security and compliance programs, communicate across teams, and serve as a trusted repository for supporting documentation.
If you haven’t yet considered managing your HIPAA security, compliance, and risk management programs within a platform like IRM|Analysis, healthcare’s rapid digital transformation and emerging risks demonstrate why now is the perfect time.
Does your organization need help getting a better grasp on what rapid digital transformation means for your security and compliance programs? It’s important to understand-and be able to respond to-how you’re addressing risk reduction, that you’re aware of security best practices and where you have gaps, and that you’re on the right track to continuously address and manage all of your risks. Contact a Clearwater advisor today and we’ll be happy to help.