7- DATA, DATA,& MORE DATA IN HEALTHCARE by PHARMAGEEK

With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached. 

The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult. 

Do not place your bets on good luck or assume that the system you currently have will prevent a breach. It’s impossible to plan for every possibility, and your practice will be better prepared if you view breaches as an inevitability.

So, prepare as if a breach will happen—but keep your focus on prevention, as that is the ideal. 

How to Prevent a Data Breach

Your patients are depending on you to provide them with a safe and secure system, and they are the ones who will be most affected when a breach occurs. Here are a few tips to ensure that your system is as secure as it can be, adapted from this resource:

1. Test, test, test. 

First, make sure your current system is effective. To do this, you must test the system. This means performing constant random testing—data breaches are random, so your testing should be as well—as well as conducting a yearly risk assessment. 

2. Restrict access to patient information. 

One of the key concepts of the Health Insurance Portability and Accountability Act (HIPAA) is that only those who need to use the data have access to it. Make sure that the systems you have in place only allow employees to access required information. Furthermore, ensure each employee has his or her own login information, as this makes audit trails easier to follow. 

3. Educate.

Make sure you provide constant, current education for both yourself and your employees about HIPAA compliance and the impacts of a health data breach. 

4. Deploy encryption technology and monitor devices and records.

Be sure to employ technology that protects the PHI stored on the devices. This should be done through the use of encryption technology for all your data and hardware—whether the data is stationary or in motion. This is a standard that you should always keep up to date. Make sure that your system strictly manages identity and access, so that only those who need to use the information, can. 

While HIPAA does not require data encryption, the Health Information Technology for Economic and Clinical Health (HITECH) Act states that if encrypted data is stolen, this does not constitute a breach. 

There should also be strict rules for employees who use their own devices to access information, as this can lead to breaches (i.e., if those devices end up lost or stolen). Educate employees on how to secure their belongings, and perhaps encourage them not to store their data locally. 

5. Review and modernize IT infrastructure.

If you work in a hospital or large practice, subnet your wireless records. This way, you can provide Wi-Fi to your patients while also ensuring that they are unable to access records. 

If you use a cloud system, it’s crucial that you read over the contracts carefully. Make sure you will still be HIPAA-compliant and that the systems will be secure. 

You may want to invest in quality IT staff to work on these networks. The individuals you have will determine whether your systems will work and will be there to defend you against breaches.  

6. Collaborate with compliant business associates.

It is likely that you currently have business associates—or that you will have one or more in the future. Business associates can assist in locking your information in a safe place, but this means that they have access to PHI. Make sure that your business associates are compliant with HIPAA and that they have the proper security procedures in place to prevent breaches.

7. Invest in a good legal team.

Remember, as helpful as these tips are, you must view a breach as inevitable. Even if you do everything right, bad things can still happen. Investing in a good legal team allows you to know that even if something goes wrong, you have a plan to move forward.

How to Respond to a Data Breach

Now, let’s assume you’ve set up an appropriate system to prevent a breach, but something has happened, and your patients’ PHI has been accessed. Let’s look to what steps you should take.

1. Conduct an initial assessment of the breach.

Once you have discovered a possible breach, you need to conduct an initial assessment of the situation. This can be done through creating a task force. This group will need to determine:

1. What went wrong? 
2. Was any PHI compromised? 
3. When did it happen?
4. Who is responsible?

2. Address the risks.

Now it’s time to fully dive in and determine what happened and how. That way, you can ensure it does not happen again. This can be done through conducting a root cause analysis—and documenting the steps you take along the way. When looking through your data, you should have documentation including:

• policies and procedures for security and privacy,
• details on employee education and awareness programs, and
• evidence of disciplinary action taken on employees. 

Don’t limit your focus on the system that experienced the breach. If something went wrong in one system, it is highly likely the same thing can and will happen in another system. 

3. Notify the appropriate parties. 

Even though it is difficult, it is necessary that you notify all the appropriate parties of what has happened. While you might be worried about losing patient trust, patients prefer to know the truth. 

4. Manage the consequences.

After you’ve studied the causes of the breach and reported your findings to the appropriate parties, it is possible that you will be investigated and have to pay legal fees. Remember, HIPAA laws were created to protect the patient, not the practice. 

As previously mentioned, your relationship with your patients may suffer because of the breach. So, after you’ve taken appropriate measures to combat the breach and implement new security measures in your system, you must take steps to rebuild your patient relationships. If this situation was something outside of your control, explain this to your patients. Patients appreciate honesty and transparency. 

If you are struggling to handle the breach, reach out to legal counsel for assistance. There is no shame in asking for professional help.  

5. Don’t panic. 

Remember, you prepared for a breach, and you’ve done damage control. Sometimes things happen that you cannot prevent, and all you can do is react appropriately. Review what happened and make sure that you took all the proper measures to ensure the same thing does not happen again. 

Cybersecurity threats and attacks across various business sectors are on the rise pressuring for organizations to continuously assess the risks to any information. While the General Data Protection Regulation (GDPR) has garnered a lot of buzz in 2018, many standards and regulations in the United States also require cybersecurity.

But what are the technical details and operational steps needed to meet the high level guidance on cybersecurity risk? A recent Advisen survey revealed some interesting statistics:

• 35% of respondents rated data integrity risks as “high risk” versus only 22% that of rated business continuity risks, or cyber related business interruption
• Only 60% of the risk professionals surveyed said their executive management team viewed cyber risk as a significant threat to the organization, down 23% from the previous year.
• Only 53% knew of any updates or changes even after the 2017 high profile attack

In short, these statistics paint a grim picture over the state of cybersecurity in the United States. While organizations are aware of the high risk of cyber attacks, management team involvement may be decreasing, and organizations may not be evolving their cybersecurity programs quickly enough.

Creating a Security First Risk Mitigation Posture
Many organizations have moved to a risk analysis security first compliance posture to enable stronger risk mitigation strategies and incorporate senior management oversight. However, identifying the potential risks to your environment only acts as the first step to understanding your overall risk. In order to identify all potential risks and engage in a full risk analysis that appropriately assesses the overall risk facing your data, you need to incorporate vendor risk as part of your risk management process.

That’s a lot of risk discussion, but you also have a lot of places in your overarching ecosystem that create vulnerabilities. Using a risk management process that establishes a security-first approach to your organization’s data environment and ecosystem means that you’re locking down potential weaknesses first and then backtracking to ensure you’ve aligned controls to standards and regulations. This approach, although it seems backward from a traditional compliance point-of-view, functions as a stronger risk mitigation program by continuously monitoring your data protection to stay ahead of hackers. Standards and regulations mean well, but as malicious attacks increasingly become sophisticated the best practices within these documents may be outdated in a single moment.

What is an Information Risk Management (IRM) Program?
An information risk management (IRM) program consists of aligning your information assets to a risk analysis, creating IRM policies that formalize the reasoning and decisions, and communicating these decisions with senior management and the Board of Directors. The National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) both provide guidance for establishing an IRM.

For example, the September 2017 NIST update to NIST 800-37 focuses on promoting information security by recognizing the need for organizational preparation as a key function in the risk mitigation process.

In fact, the core standards organization, ISO, updated its ISO 27005 in July 2018 to focus more on the information risk management process.

Specific to the United States, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated it enterprise risk management framework to minimize data threats while requiring organizations to detail potential risks and manage risks more proactively.

As risk analysis increasingly drives information security practices, you need to focus on a risk treatment program that begins with risk identification, establishes an acceptable level of risk, defines your risk treatment protocols, and create risk mitigation processes.

Create an Information Risk Management (IRM) Team
In order to appropriately manage risk, you need to create an IRM Team consisting of stakeholders across the organization. Relying solely on your IT department may leave gaps in the process. To determine the stakeholders, you should explore the departments integral to risk identification. For example, you might want to ask yourself:

• What departments hire vendors?
• What departments can help with the overall risk process?
• What stakeholders are legally required (in the United States) to be informed of the risk process?
• Who brings unique insights into the risks that affect my data environment and ecosystem?

For example, while your IT department sets the controls that protect your information, your human resources department handles a lot of sensitive data. You need to incorporate stakeholders who understand the data risks unique to their role in your organization so that they can work with your Chief Information Officer and Chief Information Security Officer. Additionally, many United States regulations, such as the Sarbanes-Oxley Act of 2002 (SOX) require senior management and Board of Director oversight so they should also be included as part of your IRM team.

Begin with Business Processes and Objective
Many organizations forget that businesses processes and organizational business objectives should be the baseline for their risk analysis. Senior management needs to not only review the current business objectives but think about the future as part of the risk identification process. Some questions to ask might include:

• What businesses processes are most important to our current business objectives?
• Do we want to scale in the next 3-5 years?
• What business processes do we need to meet those goals?

Understanding the current business objectives and future goals allows organizations to create stronger risk mitigation strategies. Many organizational goals rely on adding new vendors whose software-as-a-service products enable scalability. Therefore, you need to determine where you are as well as where you want to be so that you can protect the data that grows your organization and choose vendors who align with your acceptable level of risk.

Catalogue Your IT Assets
The next step in the risk analysis process requires you to look at all the places you transmit, store, or access data. This step often becomes overwhelming as you add more cloud storage locations that streamline employee workflows. Some questions to ask here might include:

• What information is most critical to my business processes?
• What servers do I store information on?
• What networks does information travel over?
• What devices are connected to my servers and networks?
• What information, servers, networks, and devices are most essential to my targeted business processes?
• What vendors do I use to management my data?

Review Your Potential Risks from User Access
Once you know what information you need to protect and where it resides, you need to review the users accessing it. Using multi-factor authentication and maintaining a “need to know” access protocol protects your information.

• Who accesses critical information?
• What vendors access your systems and networks?
• Does each user have a unique ID?
  Can each user be traced to a specific device?
• Are users granted the least authority necessary to do their jobs?
• Do you have multi-factor authentication processes in place?
• Do users have strong passwords?
• Do you have access termination procedures in place?

These questions can help you manage risks to critical information because employees lack password hygiene or decide to use the information maliciously upon employment termination.

Establish An Acceptable Level of Risk
Once you’ve completed the risk identification process, You need to review what risks you want to accept, transfer, refuse, or mitigate. To determine the acceptable level of risk, you may want to ask some questions such as:

• What is an acceptable level of external risk to my data environment?
• What is an acceptable level of risk arising out of vendor access?
• How do I communicate the acceptable level of risk to senior management?
• How can I incorporate my acceptable level of risk in service level agreements (SLAs) with my vendors?
• Can I quantify the acceptable level of risk I have assumed as part of my risk analysis?

Your information risk management (IRM) process needs to incorporate the full level of tolerances and strategies that protect your environment. In some cases, you may decide that a risk is unacceptable. For example, you may want to limit consultants from accessing your corporate networks and servers. In other instances, you may need to find ways to mitigate risks with controls such as password management or a Bring-Your-Own-Device policy.

Define the Controls That Manage Risk
Once you’ve set the risk tolerance, you need to define controls that manage that risk. This process is also called risk treatment. Your data ecosystem can leave you at risk for a variety of data breach scenarios, so you need to create information risk management (IRM) policies that outline your risk treatment decisions. In doing this, you need to question:

• What firewall settings do I need??
• What controls protect my networks and servers?
• What data encryption protects information in transit across my networks and servers?
• What encryption protects the devices that connect to my systems and networks?
• What do I need to make sure that all vendor supplied passwords are change?
• What protects my web applications from attacks?
• What do I need from my vendors as part of my SLAs to ensure they maintain an acceptable level of security?

Defining your controls includes everything from establishing passwords to requiring anti-malware protection on devices that connect to your systems and networks. Creating a clearly defined risk treatment program enables a stronger security-first position since your IRM policies focus on protecting data proactively rather than reactively changing your security controls after a data event occurs.

Tracking the Risks With IRM Policies
Creating a holistic security-first approach to risk treatment and management means using IRM policies to help create a risk register. A risk register creates a tracking list that establishes a mechanism for responding to security threats. Your IRM policies, which should outline the entire risk management process, help establish the risk register by providing the list of risks monitored and a threat’s impact.

Although this process seems intuitive, the larger your environment and ecosystem, the more information you need to track. As you add vendors and business partners, you increase the risk register’s length making threat monitoring cumbersome.

How SecurityScorecard Enables the Information Risk Management Process
SecurityScorecard continuously monitors threats to your environment across ten factors: application security, DNS health, network security, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering.

Using these ten factors, organizations can streamline the risk management process. A primary hassle for those engaging in the risk management process lies in defining risks and establishing definitions for controls that mitigate overall risk. The ten factors remove the burden of identifying both risks to the environment and ecosystem as well as controls that mitigate risk. Moreover, you can use these same ten factors to quantify your risk monitoring and reaction, as well as the security of your vendors.

SecurityScorecard’s continuous monitoring tool can help alleviate bandwidth problems and help facilitate a cybersecurity program more in line with the sophisticated cyberthreat landscape.