Cybersecurity is a growing challenge for many hospitals, health systems, health plans, and senior living organizations as threats and vulnerabilities constantly evolve. It is no longer considered to be strictly an information technology (IT) issue. The potential impacts of a security breach can be financial, operational, and reputational. Security breaches can come in a number of forms. It is important for healthcare organizations to assess what types of information they have (and where/how it is stored and accessed) that could be vulnerable to a cyberattack.
"The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has indicated a HIPAA risk assessment should be documented and performed at least annually . In addition, HHS OCR has announced that commencing in 2016 they will actively audit covered entities and their business associates. Breach notification to the HHS OCR is required when ePHI is exposed."
For healthcare organizations, electronic protected health information (ePHI) is one of the most valuable information assets - and the security of it is always a key risk from both an overall cybersecurity perspective and from a Health Insurance Portability and Accountability Act (HIPAA) compliance perspective. The HIPAA Security Rule requires that organizations in accordance with the Code of Federal Regulations 45 §164.308(a)(1)(ii)(A) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information ...”. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has indicated a HIPAA risk assessment should be documented and performed at least annually. In addition, HHS OCR has announced that commencing in 2016 they will actively audit covered entities and their business associates. Breach notification to the HHS OCR is required when ePHI is exposed. When HHS OCR investigates breaches, often one of their first and primary requests is to review the covered entity’s latest HIPAA risk assessment. Finally, the full enactment of the Affordable Care Act (ACA) also impacts how ePHI is shared and with which entities.
With all of these cyber risks and HIPAA compliance requirements, it can be overwhelming for executives to manage the risks and to feel comfortable that their organization is taking the appropriate actions. Many executives may not have visibility to the root cause of many successful cyberattacks, which is often traced to breakdowns or a lack of relatively straightforward information technology controls. Other times, the cause of a cyberattack is traced to proper controls either not being enforced on a particular technology, such as mobile technology, websites, networks, etc., or the controls are not being consistently followed, such as user access forms not being reviewed, password controls being circumvented, etc.
A few years ago, most of the IT security focus was on the core applications and data that processed information for an organization. As a result, ancillary systems that were not the “system of record”, including email, voicemail, websites, files sharing, and mobile devices, did not receive significant focus from a security standpoint. Security issues within those technologies were often viewed as “low risk” and were not worth much, if any, executive attention. With the onset of rapidly evolving technology and data needs and requirements, critical information can be at risk in everything from next generation medical devices to smart phones with applications installed to measure heart rate as well. As threats have evolved, it’s those same ancillary systems that are often at the root of breaches and further security issues as they are typically more easily attacked.
Many times organizations struggle in prioritizing their cybersecurity initiatives. To help prioritize and support risk oversight, we recommend a cybersecurity risk assessment. Healthcare facilities can benefit from performing a cybersecurity risk assessment that helps identify the assets, the risks, the threats and vulnerabilities to the environment, and then, in that context, determines the appropriate priorities for mitigating risk and identifying what controls should be implemented. It is not recommended to assess technical vulnerabilities through scanning and other means if the core data, assets, risks, and controls haven’t been properly assessed and validated.
In addition, a cybersecurity risk assessment can often be coupled with a HIPAA risk assessment to holistically evaluate the risks, threats, and vulnerabilities that exist across technologies, including mapping those risks to both the existing controls and the controls that management would like to put in place. From there, management can make informed decisions about the pace of what controls need to be implemented and what investments should be made to manage cybersecurity and HIPAA compliance risks.
For more information on this topic, or to learn how Baker Tilly healthcare specialists can help, contact our team.