Building the HIPAA Foundation
Vancouver Clinic (VC), based in Vancouver, Washington, has more than 400 physicians and other providers serving more than 1,000,000 patients annually in 11 locations throughout the southwest portion of the state, including an additional six urgent care centers for after-hours services.
As a healthcare organization, VC has a wide range and large quantity of sensitive data it’s responsible for securing including, but not limited to, electronic patient health information (ePHI), personally identifiable information, and financial information.
Analyzing and managing risks across all of its locations—and for all of organization into compliance. its systems that can receive, transfer, store, create or access ePHI— comes with many challenges. When Michael Bray, Chief Information Security Officer at Vancouver Clinic, first joined the team, he was responsible for building VC’s security program from the ground up— with an emphasis on HIPAA Privacy, Security, and Breach rules.
mong the daunting tasks he faced was conducting a full inventory of all of VC’s assets, understanding the risks and vulnerabilities for those assets, and then building and implementing risk remediation and mitigation plans. He had to mature and manage information security risks effectively and routinely as the company, its employees, assets, and footprint expanded over time.
Bray says when he came on board, the company was using a risk assessment solution, but it was custom software that compounded his challenges, noting it was “grossly insufficient and difficult to manage.”
Bray knew there had to be a better alternative, so he opened conversations with a variety of risk-management software vendors and services providers, including Clearwater.
Across the board, Clearwater quickly outshined all of its competitors.
Developing a Security Program with a HIPAA Emphasis
VC initially engaged Clearwater in 2015 to conduct a HIPAA risk analysis and a review of all its existing HIPAA policies and procedures. Bray said he knew, at that time, the existing practices were immature, with just a few “HIPAA-specific” policies covering privacy, security, and breaches. He also knew to be compliant, the organization would benefit from mapping its controls, policies, and procedures to the Code of Federal Regulations (CFR). This is where Clearwater shined compared to other vendors and quickly stepped up to the plate to help.
Assessing and Remediating Gaps with HIPAA Compliance
One of the things Clearwater did early on, which was different from other vendors, was to help VC assess compliance with specific requirements of the HIPAA Security, Privacy and Breach Notification Rules. Clearwater mapped policies and procedures to the specific standards and implementation specifications of the Rules, and documented whether they were reasonable, appropriate and implemented. From there, Clearwater helped VC remediate to bring the organization into compliance.
Streamlining Policies and Procedures
With Clearwater’s support, VC went from that handful of combined HIPAA policies and procedures to a more modular approach, which separated previously intermingled policies and procedures into unique documents where it made sense. Clearwater’s solution made processes easier to understand and to follow, improved compliance and created efficiency.
Today, the organization has static policy documents, which are approved by the board and leadership. These don’t change often. They use the approved policies to guide more specific procedural documents, which are flexible for technical stakeholders. The procedures don’t require board and leadership approval so long as they are in line with the board-approved policies. They can be revised when needed with fewer approvals, thereby streamlining processes.
Holistic Approach
One of the greatest benefits of working with Clearwater was its holistic approach to enterprise-wide risk management, something VC did not have with its previous risk assessments prior to partnering with Clearwater in 2015.
“It was holistic in its approach,” Bray said. “I liked how Clearwater’s IRM|Analysis® platform encompassed a NIST-based approach, which is also followed by the federal government.”
Advancing Risk Analysis
VC uses Clearwater’s IRM|Analysis software to build a database repository for ongoing risk analysis and risk management. The software is designed to meet explicit HIPAA Security Rule requirements and the Office for Civil Rights (OCR) audit protocol and Final Guidance for risk analysis as required by 45 C.F.R. 164.308(a) (1)(ii)(A).
“We were able to work with Clearwater in a way that allowed knowledge transfer and advancement of skill sets to our team. They kept up with our drive to meet business objectives while expanding our visibility into information risk across the enterprise,” Bray explained.
One of their first questions for Clearwater was: How do we do the risk analysis properly?
Bray said while the organization could have done its own risk analysis using IRM|Analysis, the reality is, he has a small support team with not a lot of bandwidth.
“So, we also engaged Clearwater to perform our annual HIPAA risk analysis in collaboration with each of our teams,” he said.
Assessing Unique Risks to Different Systems and Their Components
Among VC’s challenges for building a HIPAA compliant program was how to accurately—and completely—inventory all of its information systems (i.e., its information assets) across all locations, especially those that receive, transmit, store, or create ePHI, and understand who accesses them and how those assets are used.
The company also needed the ability to understand what types of components make up these different information systems, e.g., servers, laptops, printers, back-up devices, and even people, and how they relate to different information systems. Starting out, VC had about five component groups to categorize assets. As the organization has grown, its technology footprint expanded. Today, VC has over a hundred component groups, with unique risk scenarios. It assesses risk for all of these in IRM|Analysis.
“Some of those can be related to a specific system, because it has unique controls or risks that require it to be assessed independently to meet HIPAA requirements,” Bray said. “Some of them can be grouped together if they have similar threat surfaces, like laptops or some of the server types through VMware.” Clearwater’s patented Component Expert System (CES) takes the guesswork out of making these decisions by suggesting appropriate groupings.
Scaling and Automating Risk Analysis in a Growing Organization
As part of pre-assessment work, VC looked at its information systems to figure out which ones they were going to use as part of its annual attestation. First, it was those original five. As the organization grew, it increased to 12, eventually 20, then 50, before exceeding that 100 number. Clearwater’s solution was highly scalable to meet VC’s needs all along the way, without adding complexity.
Instead of a one-size fits all, high-level assessment, VC now had better insight into the hundreds of specific risk scenarios that were applicable to its specific environment and its systems. IRM|Analysis automatically generated these risk scenarios, ensuring the organization was conducting a comprehensive risk analysis. Additionally, the software automatically suggested appropriate security controls. Clearwater’s consultants assessed the controls relative to the risks, and determined likelihood and impact, generating meaningful risk scores.
As a result, VC was able to go through a range of these scenarios for every information system, as required by OCR’s guidance. VC had the confidence that it was assessing all reasonably anticipated vulnerabilities and risks to ePHI.
“For us to try to maintain and scale out HIPAA Risk Assessments via a customized spreadsheet while collaborating with federal government and peers, it’s just not practical,” Bray said.
Instead, VC can manage all of this right in Clearwater’s IRM|Analysis platform, with the ability to:
- Review and update current system inventory, associated components and their properties
- Gain deep insight into threats/vulnerabilities, implemented controls, and risk ratings for all assets included in the analysis
- Review previous risk analysis documentation and results
- Generate dashboards and reports • Get automatic updates to risk scenarios
Alignment with NIST 800-30 and OCR Final Guidance on Risk Analysis
Based on OCR guidance, VC must gather and document all data related to ePHI. This includes assessments and documentation of all security measures the company uses to safeguard this data. Through Clearwater’s IRM|Analysis, VC can enter information about assets and component groups including controls VC has in place, and others it could consider employing. In the risk analysis, the Clearwater Risk Algorithm™ within the software documented nearly 4,000 control answers for VC, all of which were based on its unique risks for its information assets and their components.
On-Going Risk Analysis
Healthcare organizations are supposed to assess and respond to risk on an ongoing basis. Many struggle with how to do this, but with IRM|Analysis, the process is straightforward and valuable, as all the data from the previous risk analysis exists in the database. The assessor can leverage all of the previous data to update the risk analysis. Clearwater helps VC evaluate which assets should be fully re-assessed based on changes that may have occurred, which ones need to be reviewed and updated only for new risks or new controls, and which ones have not been affected by changes.
“Keeping an enterprise-wide risk analysis current takes tremendous effort on our own internally through custom spreadsheets. Clearwater’s methodology, expertise, and IRM|Analysis software solves that challenge,” Bray said.
Clearwater’s Solution Helps Drive Cyber Risk Management Engagement Across the Whole Organization
Historically within healthcare, when it comes to security and controls, many organizations mistakenly think security is an “IT issue” and that IT alone should own it. But this is not the right approach to privacy and security, which is really a business problem. Communicating risk and creating and executing risk management plans requires engagement from all parts of the organization.
To help embed HIPAA compliance and cyber risk management into the organizational culture, VC and Clearwater have worked together to break down risks related to system components as relevant to functions and roles in the organization. Additionally, they use reporting from IRM|Analysis to communicate at different levels based on the audience. For example, some information is relevant for key stakeholders like the board of directors and executive leadership, while other information is applicable to technical staff, and other information is for the people who do work on a daily basis that access PHI.
Strengthening Vancouver Clinic’s Board Engagement
Clearwater worked together with the VC team to communicate high risks upward to the board and leadership levels, while tying it back into areas they’re most interested in—operational resilience and business success. Clearwater’s opinion as a trusted third-party expert was useful in helping Bray explain why the company should make investments and commitments to building its HIPAA Privacy, Security, and Breach program.
Communication format was also key. The IRM|Analysis platform generates director-level reports that are useful for the board’s Compliance Committee. That committee can share those findings with the rest of the board through a presentation that outlines annual findings, current posture, gaps, and what VC should do to close those gaps. Ultimately, these reports help guide risk-based decisions about program investment and budget discussions, enabling the board to be confident it’s exercising appropriate governance.
The comprehensiveness of the data, and the fact that it can be provided in a timely manner also gives the board confidence. “We can generate, at any time, a brief to them,” Bray explained. “We could pull it out and say, ‘Here’s our assets, and here’s the things that we’re concerned about with the current cyber threat landscape of ransomware attacks against healthcare.’ We can use the tool to call out specific areas to support our requests for funding or prioritization on existing projects going on in the pipe.”
Getting Directors and Physicians Involved
When VC first started building its HIPAA program, the team recognized they had managers, directors, and executives who had been with the organization 15 or 20 years and had never been directly involved with HIPAA risk assessments. Change management was a key issue, and this was an area where VC and Clearwater partnered to deliver success.
After engaging with Clearwater, VC empowered champions at the director level across multiple departments to be part of its Compliance Committee. They were able to participate directly with interviews and ensure appropriate information assets were identified throughout their departments. Involving business stakeholders at the department level in the process drove engagement with the cyber risk management program.
“Collaborating with Clearwater—it’s a partnership. They’re not an auditor coming in telling us what we’re doing wrong,” Bray said. “They are there to help us mature as an organization, by doing the things that are appropriate for us, based on our risks—not based on a generic checklist.”
Today, the HIPAA program is a collaborative effort across multiple teams including executive leadership, clinical staff, providers, back office, security, and compliance teams.
“We’re collaborating together to identify risk and gaps, and then make recommendations on how to handle that risk. That’s proper risk response,” Bray said.
And that collaborative culture is spilling across departments not traditionally associated with HIPAA or risk assessments.
“I’ve taken the opportunity to expand assessments into human resources, marketing, medical affairs, and finance stakeholders,” Bray said.
So now cross-departmental team members are thinking about risk:
- Are we going to accept it?
- Are we going to avoid it?
- Are we going to transfer it?
- Are we going to mitigate it?
And while IRM|Analysis and Clearwater’s consulting engagement was initially driven by HIPAA, it now also addresses risk analysis requirements for other areas such as PCI, Meaningful Use, SOC 2 Type 2, and others.
Clear Results
Today, VC has successfully built and continuously matures its HIPAA Privacy, Security, and Breach program.
“We have complete privacy, security, and breach policies now established and attested to every year,” Bray said. “We have a bona fide annual HIPAA risk analysis that meets the Guidance of the Office for Civil Rights. There’s no ‘periodic’ anymore; it’s every year at minimum, and we also have the capability to update the risk analysis at any time. We have the capability to give a HIPAA compliance posture assessment at any given time, using Clearwater’s software. In addition to performing the risk analysis, we have Clearwater supporting us in the event we ever have a major HIPAA incident or event or filing or anything.”
Clearwater has also helped VC build a clear understanding of the role of risk management as its own entity, including for medical device management, which is now an area of focus for the organization. It’s also helped draw a correlation between risk management, compliance, and information security. These stakeholders now work together to approach how VC manages Governance, Risk, and Compliance (GRC) with a risk-based approach under NIST.
Looking Forward
As VC looks forward in its Clearwater partnership, one area it will focus on is addressing gaps in its third-party risk management program.
Before the Clearwater risk analysis, Bray said there were inconsistencies by business owners about business associate agreement (BAA) status or the service provider/vendor’s compliance with HIPAA. Clearwater and IRM|Analysis brought these opportunities to light and are helping Bray to strengthen his BAA program as the regulatory landscape continues to evolve.
VC is now better suited to identify and mitigate additional risks created by its business associates. This includes routine audits and ensuring all business associates meet expectations regarding the Clinic’s HIPAA standards.
Program Expansion and Maturity
Clearwater has given VC clear insight into its security posture at all times.
“We evolved from an EPIC platform focused HIPAA Security, Privacy, and Breach program, to a well-established enterprise-wide program. We can measure ourselves against some of the most mature corporations out there,” Bray said. “It’s helped us advance from a small company mindset to a well-matured corporate mindset that allows for a customized Governance, Risk, and Compliance approach.”
VC will focus on increasing program maturity with a goal of continuing to scale its program across all pillars of privacy, security, and breach rules.
“We want a culture of continuous improvement and not just a periodic risk assessment. We can provide HIPAA Risk Analysis information on the fly at any time, if requested outside the annual attestation,” Bray said.
The reality is, as VC evolves, so do requirements and scope.
“Every year we gain more insight about PHI we may not have addressed the prior year,” he explained. “And so, it’s constantly helping us scale out and provide visibility to where that PHI is located.”
And even with those changes, VC is happy to say it hasn’t had a single compliance or cybersecurity incident or event the past six years that has negatively impacted the business or patient care. “Our HIPAA Privacy, Security, and Breach program has reached a level of maturity we are told is rarely found within the healthcare sector,” Bray explained. “We have garnered attention from other healthcare organizations, federal agencies, and industry experts.
“We’ve been fortunate to partner with Clearwater from the beginning,” he continued. “The relationship we’ve built with Clearwater during our journey has helped establish, maintain, and grow our HIPAA program. I view Clearwater as a critical pillar in our day-to-day operations.”