Clearwater partnered with Encompass Health to implement its enterprise Risk Analysis and Cyber Risk Management Solution powered by IRM|Analysis™
Clearwater provided the training, software, and professional services Encompass Health needed to establish an ongoing, enterprise-wide risk analysis process. Comprehensive risk analysis is a critical first step in cyber risk management. It’s like that old adage, “The best defense is a good offense.” How can you defend your organization against cyber attacks if you don’t know where your assets and vulnerabilities are?
The answer is: you can’t. That is why risk analysis is so important. That is also why the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and subsequent guidance from the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) emphasize the importance of risk analysis. To comply with the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318), healthcare organizations must conduct “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
“Conducting a risk assessment is essential to establishing an effective cyber risk management program,” said Mitch Thomas, chief security officer (CSO), Encompass Health. Besides serving as Encompass Health’s CSO, Thomas is also a reservist in the U.S. military working within the U.S. Cyber Command. “I have had visibility into a good number of organizations across government and industry, so I am familiar with a lot of different approaches to managing risk,” Thomas said. “I’ve found that performing a comprehensive, HIPAA-compliant risk analysis in a large healthcare organization is easier said than done.”
The Challenge
Encompass Health had previously used multiple approaches to risk analysis with varying results. When Thomas came on board as CSO, Encompass Health was “challenged like most healthcare organizations in communicating risk and their controls in a construct that could be aligned with regulations and OCR audit expectations,” he said.
“We needed to establish risk management processes that correlated directly with OCR guidance.” One challenge Encompass Health faced was the vast scope and complexity of the organization. Encompass Health is one of the nation’s largest providers in post-acute care, offering both facility-based and home-based patient care through its network of inpatient rehabilitation hospitals, home health agencies and hospice agencies. Facilities include 127 hospitals and 237 home health & hospice locations in 36 states and Puerto Rico.
This means that Encompass Health is dealing with an enormous volume of information assets. Those assets are also widely distributed, both geographically (across facilities and across states) and organizationally (across different lines of business). Encompass Health also regularly expands its footprint via strategic acquisitions. This means the scope of information assets, threats, vulnerabilities and security controls is continuously evolving Thomas found previous attempts at risk analysis to be inadequate because they did not take into account the dynamic nature of the organization and external environment.
“We needed something more than a static, once- a-year risk analysis report,” Thomas said.
“We needed a process that would give us the ability to continuously adjust our risk analysis as
we established new business lines, acquired new devices, and made changes to software.”
The Solution
Shortly after Thomas started at Encompass Health, he had the opportunity to participate in Clearwater’s HIPAA Compliance and Cybersecurity BootCamp™. Clearwater periodically offers live, in-person, educational BootCamps. Clearwater also offers a virtual version of the BootCamp. The BootCamp content and format can be tailored for specific organizations and associations.
In Thomas’ case, the Association for Executives in Healthcare Information Security (AEHIS) was offering a five-week virtual BootCamp exclusively for AEHIS members. After the first session, Thomas knew he had found the risk assessment solution he was looking for.
“I wanted a solution that would tightly follow the NIST framework. At that first session, I saw that Clearwater’s solutions not only followed the NIST framework, but also automated the process, making it much easier for an organization like Encompass Health to manage and maintain,” Thomas said. “I saw a clear alignment between OCR guidelines and what Clearwater was doing.”
Clearwater’s software suite, IRM|Pro®, is based on the NIST framework and HIPAA regulations. The suite’s four stand-alone modules — IRM|Analysis™, IRM|Privacy™, IRM|Security™, and IRM|Framework™ — address and automate different aspects of HIPAA compliance. Encompass Health was particularly interested in IRM|Analysis, which would allow them to implement and automate an OCR-compliant risk analysis process across their vast and complex enterprise. “Clearwater’s tool was the only user-accessible software I found that operationalized the NIST framework through automation and made it manageable to apply across our assets,” said Thomas. I could not find another vendor providing this type of software solution targeted at risk analysis automation.”
Clearwater uses the software-as-a-service (SaaS) distribution model. The advantages of using a cloud-based (SaaS) model, rather than an on-premise model, are that there are no upfront capital costs and deployment can happen relatively quickly. Clearwater offers a continuum of services related to software deployment. At the most basic level, Clearwater offers a software subscription plus training on how to use the software effectively. Alternatively, organizations can purchase a subscription to the software with a block of time for additional Professional Services.
A third option is to purchase the software along with Clearwater’s HIPAA Risk Analysis. In this version of the software implementation, Clearwater not only deploys the software and trains users, but also conducts the initial risk analysis. This gives the organization an opportunity to learn the NIST risk analysis methodology at the same time they are learning to use the software. Encompass Health chose the third option: a software subscription plus user training plus project management and professional services to conduct the initial risk analysis.
“It was immensely valuable to have Clearwater come in and help us collect the information we needed,” said Thomas. “Clearwater interviewed staff across the company to identify and document information assets. They helped us analyze and organize those assets in a way that optimized efficient use of the process and the software. We didn’t have to go through weeks of learning and training to get to that point.
“Clearwater was able to come in on day one, start the risk assessment process, and minimize the impact on my staff and others across the company. In just a couple of days, they accomplished what it would have taken us weeks to do on our own. Then they input all of that information into the software and worked with my team on how they did it, what that process was, and how to use the software. That gave us the momentum we needed to manage and maintain the process going forward.”
The Results
The entire process, from software deployment to completion of the risk analysis, was finished in six months. At the end of that period, Encompass Health had a complete, OCR-compliant, risk analysis report in hand, including findings, observations and recommendations. Thomas said the implementation of Clearwater’s NIST-based software and process led to additional positive outcomes beyond the completion of Encompass Health’s risk assessment report, including the following benefits:
Centralized risk data
All of the data documenting Encompass Health information assets is now centralized in a single system: Clearwater’s IRM|Analysis. “Having all of our assets and their risks reflected within one system simplifies how we manage and report security risk” he said.
Real-time risk analysis
Encompass Health now has tools and processes in place that enable real-time capability for managing assets and risk. The organization is no longer dependent on static, point-in-time risk analysis, which quickly become outdated.
The ability to adjust risk tolerance
The dashboard and embedded reports in IRM|Analysis provide the security team and leadership the insight they need to adjust risk tolerance. “As we address risk items and mitigate them, we are able to adjust our risk tolerance threshold to address even lower risk items. This helps the team manage and communicate security risk with leadership across the organization,” Thomas said.
Easy report generation
The built-in reporting feature in IRM|Analysis makes it easy to generate up-to-date risk analysis reports for any entity that requests a risk analysis, whether that is Encompass Health’s executive leadership, the Board of Directors, the organization’s insurance risk provider, OCR, or a third-party auditor.
Increased confidence in risk analysis findings
“I have confidence now in how we are tracking our security risk from a compliance standpoint. Having current and detailed risk information all organized in one place provides me with the assurances I need that we are addressing our regulatory requirements. And I feel confident that we are also compliant with OCR guidelines,” Thomas said. Thomas expects the partnership between Encompass Health and Clearwater to continue into the foreseeable future. “It’s been a very collaborative relationship,” he said. “Clearwater has been very responsive to our needs and supportive in helping us achieve our risk analysis objectives.”
