This past June we received two reminders of just how important it is to have an ongoing and effective program for measuring risk.
The OIG published its report reviewing the incentive payments made by CMS under Meaningful Use and identified over $740M in potential overpayments to healthcare entities for failure to provide adequate documentation to support their attestation. One of those documents was their risk assessment. The report presented it as a consumer issue, but the broader question that should have been asked as well was why were the payments made in the first place if the documentation was either missing or lacking? Answering that one probably makes someone uncomfortable. The OIG made recommendations to go after those that had received unearned payments, certainly seems fair, but it stopped short of asking what broke down at CMS that permitted these payments or in suggesting how we make sure it doesn't happen again.
A day later Deven McGraw, Deputy Director, Health Information Privacy, Office for Civil Rights (OCR) spoke at the North Carolina Health Information & Communication Alliance’s annual Academic Medical College Privacy & Security Meeting and reinforced the message by saying risk assessments are still a big issue identified during OCR compliance reviews and investigations. She enumerated five major trends they routinely see that contribute to negative outcomes and the fines that some organizations have received.
1. No risk assessment at all. You heard right just not doing one at all. A sure fire formula for making your next review or investigation a lot harder than it needs or you wanted it to be. Conducting a risk analysis of the enterprise is a hard coded requirement for healthcare entities and business associates. More importantly it is one of the first and most critical building blocks of a sound security program.
2. A limited scope assessment. Organizations are still conducting risk analysis of a very limited set of their IT environment (typically the EHR) and not the total enterprise. Often the breach is with a system not assessed. Adding to the difficulty of the investigation and an unwanted outcome. The expectation is that entities will conduct a risk analysis of their total IT enterprise where PHI is created, stored, processed, transmitted, etc. This includes those third parties that are a part of your growing supply chain.
3. No accommodation of environmental changes. Meaning organizations often fail to reassess their risk when there is a major change in the environment, the network, critical systems, etc. A good example of this is not conducting a risk analysis when acquiring another entity or when there is a wholesale change in the EHR going from one platform to another, or the example given a new server farm stood up without assessing the risk. Bottom line our enterprises are rarely static and when there is material change the expectation is the risk analysis will be updated.
4. Insufficient coverage. Large entities or entities with many operating locations will often take an approach that assesses the corporate headquarters or primary locations and not each operating location they have. When there is a breach or complaint at a particular location OCR is going to want to see documentation relevant to that location. The strategy for conducting risk analysis must be enterprise wide. That is not to say that every operating location need be assessed every year, periodicity is also a risk based decision.
5. Incomplete risk assessment. Risk assessment involves data collection, analysis and documenting risks. There are multiple models for completing a risk assessment to include the one recommended by OCR in their guidance that is based on the NIST 800-30. Risk assessment is not merely going through a check list, even if it's the NIST CSF performing a gap analysis. It is an analytical business process that matches the maturity of our controls against a known vulnerability and a reasonable threat to determine the likelihood and impact of occurring to identify a resultant risk that needs to be mitigated.
What should Executive Teams know about the requirement for risk assessment?
1. Understanding risk, policy imperatives and architecture are the three pillars that any successful cybersecurity program are built on. Without each leg the stool becomes unbalanced and falls over.
2. Risk assessment informs and measures how well our controls are working at mitigating risk and reducing liability providing important metrics for governance. Without it you are making decisions based on an incomplete picture.
3. It is the first requirement in any security standard or framework and both HIPAA and Meaningful Use. It is required. It is to security what the foundation is to your house.
4. The risk assessment is almost always the first document requested by an investigator in an audit, compliance review or investigation of breach. It answers two questions; a. Did you know about it in advance, and b. Did you do or plan to do anything about it?
5. Risk analysis is most beneficial when objectively conducted. No other industry is allowed to perform their own risk assessments for compliance purposes. You sacrifice objectivity and due diligence.
6. External assessors bring the benefits of expertise, broad industry knowledge and an experiential database that internal teams cannot match. You do one a year, they do hundreds, you do the math. You should tap that knowledge base.
7. External assessors provide advantages in demonstrating due diligence to regulators. Just like your financial audits, taxes, peer reviews, being able to point to independent analysis is important.
8. Risk assessment is a tool for building trust in other third party relationships and business partnerships. Being able to demonstrate you’ve completed a risk assessment is part of building trusted relationships. No one wants their business partner to compromise their business.
9. It promotes understanding of risk and prioritization of security initiatives. This one is simple. Smart decisions not only enhance security, but save dollars.
10. If done correctly, it is the most useful tool for managing and reducing costs. If not done or done poorly it will assuredly result in higher costs. Prevention is always cheaper than the cure, whether health or cybersecurity.
Conducting risk analysis correctly and periodically is critical to having and building an informed security program. Using a qualified external partner provides the peace of mind that you have an objective process in place to ensure due diligence. Using a partner steeped in healthcare experience ensures you receive recommendations that are grounded in that experience and take advantage of industry know how and expertise. Done well it can reap many benefits from saving dollars to avoiding compliance issues to mitigating potential causes of disruption. Simply put it helps protects your business and your investment.
By Mac McMillan, healthcare security and privacy expert and President and Chief Strategy Officer of healthcare security consultancy, CynergisTek.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.