Healthcare Information Security Today

Transcription

1 Healthcare Information Security Today 2014 Survey Analysis: Update on HIPAA Omnibus Compliance, Protecting Patient Data INSIDE: Complete Survey Results In-Depth Analysis Expert Commentary Sponsored by

2 From the Editor Healthcare Info Security: Transformation Under Way Healthcare is reaching a tipping point, with most organizations finally relying more heavily on electronic health records than on the paper charts that dominated record keeping and clinical workflow just a few years ago. Along with that incredible transformation largely driven by the HITECH Act electronic health record financial incentive program come new vulnerabilities, emerging cyberthreats and increasing security risks. Marianne Kolbasuk McGee Managing Editor, HealthcareInfoSecurity Because the adoption of electronic records is still so new for many healthcare organizations and the exchange of patient information is still evolving the healthcare sector is not fully mature in terms of its embrace of security practices and technologies that are commonplace in many other sectors. Healthcare also faces ever-increasing regulatory burdens, including compliance with the new HIPAA Omnibus Rule, which spells out, among other things, new guidance on breach notification and new requirements for providing patients with secure electronic access to their records. The 2014 survey sheds light on how healthcare organizations are addressing data security and privacy issues, as well as the challenges they face as they comply with HIPAA Omnibus. This handbook offers a progress report on the status of efforts to protect patient information and prevent potentially costly, reputation-damaging breaches. It reveals weaknesses in data security programs, providing a roadmap for improvements. We re confident that you ll find the survey analysis useful as you benchmark and bolster your healthcare information security strategy. Marianne Kolbasuk McGee Managing Editor HealthcareInfoSecurity mmcgee@ismgcorp.com 2

3 Table of Contents Introduction... 2 What is the Survey About?... 4 Roster of Experts... 5 Hot Topics... 6 Survey Results HIPAA Omnibus: Compliance is Challenging... Breach Prevention: Trend Analysis Risk Assessments: Getting Better or Cutting Corners?... Encryption and Authentication: Room for Improvement Mobile Tech: Inadequate Protection Web Portals: Work in Progress Priorities, Investments and Staffing The Agenda Resources Sponsored by Celebrating its 25th anniversary, (ISC) 2 is the largest not-for-profit membership body of certified information and software security professionals worldwide, with nearly 100,000 members in more than 135 countries. (ISC) 2 issues the CISSP and related concentrations, CSSLP, CCFP SM, CAP, HCISPP SM, and SSCP credentials to qualifying candidates. Visit 3

4 What Is the Survey About? As healthcare organizations, including hospitals, clinics and physician practices, continue to digitize patient data while complying with regulations, they re also working to implement information security measures to assure patients - and regulators - that health information will be protected. At the same time, healthcare entities also want to ensure they re compliant with federal data privacy and security requirements, including the HIPAA Omnibus final rule, which went into effect last year. HealthcareInfoSecurity conducted the 2014 Healthcare Information Security Today survey to provide an in-depth assessment of the effectiveness of these data protection efforts, including compliance with HIPAA Omnibus, breach prevention measures and risk assessments, and to identify the areas where more work needs to be done. The survey was developed by the editorial staff of Information Security Media Group, with the assistance of members of the HealthcareInfoSecurity board of advisers, which includes leading healthcare information security and IT experts. International Information Systems Security Certification Consortium, better known as (ISC) 2, supported the survey as sponsor. The online survey was conducted in the first weeks of Respondents included about 200 chief information security officers, CIOs, directors of IT and other senior leaders. These executives work at hospitals, integrated delivery systems, physician group practices, insurers and other healthcare organizations. What type of organization do you work for? What is your title? 33% Hospital Integrated delivery system corporate office (parent company of hospitals, clinics, etc.) Physician group practice/clinic Health insurer/plan/payer Other % Director/manager of information technology Chief information security officer Chief compliance/risk management officer Chief privacy officer Chief information officer/vice president of information technology Physician group practice administrator Chief (physical) security officer

5 Roster of Experts We asked several health information privacy and security experts for their insights, and their analysis of the survey results is included throughout this report. They include: Kate Borten, president and founder of security and privacy firm The Marblehead Group. Before launching the firm, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center. Michael Bruemmer, vice president of Experian Data Breach Resolution at Experian Consumer Services, a provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products. Bruemmer has more than 25 years of experience related to business operations and development in the identity theft and fraud resolution space. Bob Chaput, CEO at Clearwater Compliance, a privacy and security consulting firm that helps covered entities and business associates comply with HIPAA and the HITECH Act. Chaput formerly served as an operations and technology executive at GE, Johnson & Johnson and Healthways. Jeff Cobb, CISO at Capella Healthcare, a provider organization based in Franklin, Tenn. Cobb has more than 12 years of experience in information technology and security, primarily in healthcare. Previously, Cobb served in leadership and consulting positions with Ingenuity Associates, UnitedHealth Group and AIM Healthcare, now part of Optum. Brian Evans, principal at security consulting firm Tom Walsh Consulting. Evans previously served as information security officer at The Ohio State University Health System, Atlantic Health, Fletcher Allen Healthcare, New York Hospital Queens and University of Alabama Birmingham Health System. Andrew Hicks, director and healthcare practice lead at Coalfire, a security consulting firm. Hicks has more than 10 years of experience in IT governance, including responsibilities specific to IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance. Sean Murphy, vice president at Leidos Health Solutions Group, a consulting firm. Murphy serves as the organization s health information privacy and security officer. He has nearly 20 years of experience in healthcare information security, serving at all levels of healthcare, from a hospital to an international integrated delivery system. 5

6 Hot Topics The 2014 survey revealed a number of important compliance, technology, investment and priority trends. 1. HIPAA Omnibus: Compliance is Challenging With all the publicity in 2013 about the importance of HIPAA Omnibus Rule compliance, a majority of respondents say they have detailed plans in place to comply with the final rule. But many healthcare organizations are still facing challenges in those compliance efforts. 2. Breach Prevention: Trend Analysis Although more than a third of organizations say they did not have a breach of any size in 2013, some experts say this could be because detection and assessment of incidents are inadequate. Breach prevention priorities for this year include: stepping up privacy and security training, implementing audit tools to detect unauthorized access and implementing encryption. 3. Risk Assessments: Getting Better or Cutting Corners? A fear of HIPAA or HITECH Act enforcement activities may be contributing to more organizations reporting they conducted a risk assessment in 2013, compared to prior years. But if these assessments aren t thorough, these entities could be overlooking critical risks. Plus, the survey shows less than half of organizations have a documented information security strategy a natural outgrowth of a thorough risk assessment. 4. Encryption and Authentication: Room for Improvement Encryption and authentication can play critical roles in preventing breaches, including incidents involving mobile devices and unauthorized access to records. But the survey indicates that many healthcare entities still have a long way to go in implementing these technologies. 5. Mobile Security: Inadequate Protection Many of the health data breaches that get reported to regulators involve lost or stolen unencrypted mobile gear. And the survey shows that less than half of organizations apply encryption to all mobile devices and storage media. Some 17 percent lack a mobile security policy. 6. Web Portals: Work in Progress Under the HIPAA Omnibus Rule, patients have a right to access their electronic health information. And under the HITECH Act incentive program for electronic health records, participating organizations must provide patients with the ability to view, download and transmit their digital health information. But only a third of those surveyed have a patient portal to provide access to records. 7. Priorities, Investments and Skills Top information security priorities for the coming year are improving regulatory compliance, improving security education and preventing and detecting breaches, which were also the top priorities in our survey last year. Top technology investments for the year include an audit tool or log management system, encryption, a mobile device management system, and data loss prevention. Nearly two-thirds of organizations say knowledge of privacy and security issues in the healthcare sector is the top competency being sought as they hire new staff. 6

7 Survey Results: HIPAA Omnibus Compliance is Challenging The third annual Healthcare Information Security Today survey takes a close look at compliance with the HIPAA Omnibus Rule, which had an enforcement deadline of Sept. 23, Three-quarters of respondents say they have detailed plans in place to comply with the final rule. But what about the rest? It is surprising to me that 25 percent of organizations still don t have a plan in place, says Andrew Hicks, a director and healthcare practice lead at security consulting firm Coalfire. That number shouldn t be that high. Does your organization have a detailed plan in place to comply with the HIPAA Omnibus Rule? Yes No I don t know 75% 17 8 What have been the biggest challenges in implementing the HIPAA Omnibus Rule? 50% Training and educating workforce on compliance changes Revising business associate agreements Getting new business associates to sign business associate agreements Revising breach assessment and notification procedures Providing individuals with electronic access to their protected health data Modifying notices of privacy practices Restricting disclosures to health plans when patients pay for services out of pocket Revising policies related to PHI used for fundraising Restricting sale of protected health information and complying with revised definition of marketing Survey respondents identified the challenges they re facing in their HIPAA Omnibus compliance efforts. Workforce compliance training and education is the biggest challenge, the survey shows, followed by two business associate issues: revising business associate agreements and getting new business associates to sign agreements. Under HIPAA Omnibus, business associates, which include vendors such as many cloud services providers, are directly liable for HIPAA compliance. That means those business associates, like covered entities, face potential Department of Health and Human Services penalties ranging up to $1.5 million per HIPAA violation. 7

8 So covered entities are continuing work to help ensure that their business partners are compliant. But for some, that work is a struggle. We see covered entities that are pushing their business associates through archaic processes that involve spreadsheets and questionnaires, which is very difficult to manage through, Hicks says. We ve also seen business associate agreements that are being managed by administrative personnel that don t really have any understanding of what HIPAA is or the implications there. These should be managed by legal counsel or other compliance type officers, he says. Among the top steps that healthcare entities are taking to ensure their business associates are compliant with HIPAA Omnibus are modifying business associate agreements to provide more details; revising policies for business associates reporting breaches; and requiring completion of a security questionnaire. What steps has your organization taken to ensure that your business associates that have access to protected health information are HIPAA compliant as required under the HIPAA Omnibus Rule? 70% Modified business associate agreements to provide more details Revised our policies for business associates reporting breaches to our organization Required completion of a security questionnaire Obtained a copy of their security policy Under HIPAA Omnibus, breach assessments should be based on at least four objective factors, rather than the previous, more subjective, harm standard. Revising procedures around breach notification is among the top Omnibus challenges for nearly 40 percent of organizations. So far, nearly 60 percent of entities have instituted four-factor breach assessment procedures, but 49 percent of organizations have not tested their breach notification plan to see if it works, the survey shows. Some entities are making other changes to their breach assessment policies and procedures as well. However, one in five organizations have made no changes at all, a possible indication that they re unaware of what federal regulators expect. Also, nearly half of organizations have not tested to see if their breach notification plan will work in a real breach situation. What changes have you made to your breach assessment policies or procedures to comply with the HIPAA Omnibus breach notification rule? 59% We have instituted the "four factors" spelled out in HIPAA Omnibus in assessing whether PHI was breached We have made other revisions to our breach assessment procedures We have dropped the "harm standard" consideration when assessing whether breaches should be reported We have made no changes Obtained a copy of their security audit Commissioned a third-party validation of BA's policies and procedures

9 Has your organization conducted a test to see if its breach notification plan will work in a real breach situation? 30% Yes We've already used the plan in a real-world situation No As noted, workforce training and education are pain points for HIPAA Omnibus compliance efforts. The survey participants give their organizations widely varying grades for the overall effectiveness of security training and awareness activities, with only about half giving their organizations high marks. Security and privacy expert Kate Borten, on the other hand, is not surprised by the focus on training and awareness, especially considering that many breaches occur due to workforce behavior, ranging from losing computing gear to snooping at records. Most of the organizations, if not all that I deal with, fall way short in terms of the content and delivery of adequate workforce training, says Borten, principal at the consultancy The Marblehead Group. How would you grade the effectiveness of your security training and awareness activities for your organization s staff members and physicians? A B 11% 41 I m really happy to see consideration given to the people dimension of what we regard as a four-dimensional good balance compliance program: policies, procedures, people and safeguards, says Bob Chaput, CEO and founder of Clearwater Compliance, a security and privacy consulting firm. It s great that people have identified [awareness and training] as a challenge. On the other hand only half of them [are] giving themselves a good grade. The requirements for privacy training of the privacy rule, security training of the security rule, are not a news flash. The Omnibus final rule did not tweak them. Why are people worried [now] about their training programs when this is stuff that ought to have been under way for the last 10 years? C D F I - Incomplete

10 Analysis HIPAA Omnibus Compliance Struggles Andrew Hicks, Director and Healthcare Practice Lead, Coalfire Information Security Media Group: Why do think a quarter of organizations still haven t yet put a HIPAA Omnibus compliance plan into place, and what are the risks to organizations that are still putting that off? Andrew Hicks: One possible reason for that is companies seeing the cost of HIPAA compliance. They re being forced Andrew Hicks into compliance. So there is some costprohibitive reasons, budget constraints; many see it as too time consuming or [they don t have] enough internal resources. You also have the smaller covered entities that may not even understand what their obligations are with regards to HIPAA. When you look at the risk factors, we all know there are breaches out there; there are penalties, both monetary and civil. And the biggest thing now that we re seeing is reputational risk. The Target breach is a great example of what a reputational risk will do to an organization in terms of sales and customer trust. ISMG: Why do you think organizations are still struggling with certain HIPAA Omnibus compliance tasks, like workforce training and business associate agreements? Hicks: We all know that training and logical access has always challenged covered entities. Logical access, whether it s for internal or external access, is always going to be a problem; we just need to face that. It s proven that most breaches happen from internal mistakes, and organizations continue to struggle with that. The whole minimum necessary concept is backed by good, solid access provisioning and decommissioning processes. When you look at it from a business associate management standpoint a lot of covered entities don t even know who their business associates are. In some cases they re good at executing the BAAs, but all they have as far as information about those BAAs is the actual contract itself and a signature that they can t tie back to a specific entity. So that is a risk that we see today. Business associate agreements are being thrown around the industry like they re candy. ISMG: Despite changes brought by the HIPAA Omnibus breach notification rule, nearly one in five organizations have made no changes at all in their breach assessment process. What are the first steps that organizations should take in making formal changes so that what they re doing in terms of assessment breaches is jiving with what OCR expects under HIPAA Omnibus? Hicks: The first thing they need to do is they ve got to get away from the harm-based approach that was introduced by the HITECH Act. The new approach is a risk-based approach under the Omnibus Rule. This all needs to be defined in their policies. And secondly, you ve got to test now and test often, especially with changes to an organization. ISMG: In your work with healthcare organizations and business associates, where do you see the most pushback from BAs in terms of the demands that they re getting from their covered entities related to HIPAA Omnibus and HIPAA compliance? Hicks: Business associate agreements are being thrown around the industry like they re candy; but in some cases what we re seeing is that covered entities are asking their business associates to jump through all kinds of hoops to prove they re compliant. So while I completely agree that a business associate agreement is not enough, forcing all business associates to go through a costly assessment, like a HITRUST certification, as an example, may not make the most sense for every single type of business associate. So I think these organizations need to do a risk-based approach and consider the size, the complexity, and ultimately the risk that a business associate gives back to that covered entity as a way to manage those BAs appropriately. Andrew Hicks is director and healthcare practice lead at Coalfire, a security consulting firm. He has more than 10 years of experience in IT governance, including responsibilities specific to IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance. 10

11 Breach Prevention: Trend Analysis Surprisingly, some 37 percent of organizations say they did not experience a breach of any size in Also, 53 percent of respondents report that their business associates did not experience a breach during that time frame. These findings could reflect successful efforts to prevent breaches. More likely, however, the findings indicate that incidents are not being properly assessed for breach notification under HIPAA Omnibus, or even worse, are not being detected at all. Some experts who analyzed our survey findings believe many breaches are being swept under the rug for a variety of reasons. It s just because [organizations] don t understand the compliance regimen and, just like an iceberg, there are probably 80 percent of small incidents that don t get reported, even with the new healthcare requirements, and you only get about 15 percent of all incidents reported through the proper channels, says Michael Bruemmer, vice president of Experian Data Breach Resolution. What type of health information breach of any size did your organization experience in 2013? 37% We have had no breach of any size in 2013 Misdirected fax or postal mailing Insider attack, such as record snooping (unauthorized access) or identity theft Lost or stolen unencrypted electronic device or media Lost or stolen paper records Improper disposal of paper records Hacker attack What type of health information breach of any size did a business associate with access to your organization s patient information have in 2013? 53% Our business associates have had no breach of any size in the past 12 months I suspect there are many more breaches occurring that aren t even recognized, adds Borten, the consultant. Organizations need to understand how to assess incidents under HIPAA Omnibus in order to properly detect and report them, she stresses. This isn t just manager training. This is workforce-wide Lost or stolen unencrypted electronic device or media Misdirected fax or postal mailing Hacker attack Improper disposal of paper records Lost or stolen paper records Insider attack, such as record snooping (unauthorized access) or identity theft

12 The survey shows that breaches affecting fewer than 500 individuals are more common than larger breaches. However, 21 percent of organizations surveyed had at least one breach affecting 500 or more individuals. Approximately how many health data breaches affecting fewer than 500 individuals did your organization experience in 2013? None 25% More than 50 Approximately how many health data breaches affecting 500 or more individuals did your organization experience in 2013? 79% 9% None More than For organizations that experienced a breach in 2013, the major impact for 45 percent included subsequent changes to security procedures and training. But for some, the fallout included employee terminations, damage to reputations, regulatory penalties and lawsuits

13 If your organization or a business associate had a breach in 2013, what was the impact? What steps does your organization plan to take in 2014 to help prevent health information breaches? 45% Changes to our data security/privacy strategy, procedures Launched an awareness/training program Staff member(s) dismissed because of role in breach Damage to our reputation Financial penalty from state or federal regulators Breach resolution costs of $50,000 or more Lawsuits filed by patients, customers Organizations identify several steps they plan to take this year to help prevent breaches. And because employee mistakes and intentional record snooping are often involved in breaches, it s no surprise that stepping up privacy and security training is the No. 1 action planned. Other steps that are among the top priorities include implementing audit tools to enhance detection of unauthorized access and implementing encryption on mobile and removable media and on all end users devices. But if breaches do occur, being prepared is critical, say some security experts. The most important step that healthcare organizations can take this year to improve information security is to create and test a comprehensive data breach response plan, Bruemmer says. Clearly that will do you more good than anything else to protect your healthcare organization. 63% Step up training on privacy, security issues Implement audit tool to enhance detection of unauthorized access Implement encryption of all mobile devices and removable media Implement encryption of all end-user devices Implement data loss prevention system Implement enhanced user authentication, such as multi-factor Prohibit storage of any protected health information on all end-user devices Prohibit storage of any protected health information on mobile devices and removable media When it comes to the biggest information security threats for organizations, the top worries involve insiders, followed by business associates. Less than 10 percent of respondents say hackers are the biggest single threat to their organization. This reinforces trends seen in federal breach reports. The No. 1 cause of major breaches listed on the HHS wall of shame is the loss or theft of unencrypted devices or media. Plus, approximately a quarter of major breaches have involved a business associate. The survey also indicates that incidents involving misdirected information and insider threats, such as record snooping, are responsible for a substantial portion of incidents at organizations reporting breaches of any size in

14 I think for healthcare organizations and for their business associates, the big threats come from the insiders, says Borten. You have policies, you have procedures, and then you have to teach people what are the right things to do and the wrong things to do in terms of behavioral expectations. What do you perceive to be the single biggest security threat your organization faces? 35% Mistakes by staff members The growing use of mobile devices, including the "bring your own device" trend Business associates taking inadequate security precautions for protected health information Loss or theft of devices or electronic media Insider threats, such as records snooping and identity theft Hackers attempting to access records or use servers for other purposes, such as gaming It s just because [organizations] don t understand the compliance regimen and, just like an iceberg, there are probably 80 percent of small incidents that don t get reported, even with the new healthcare requirements, and you only get about 15 percent of all incidents reported through the proper channels. - Michael Bruemmer, Vice President of Experian Data Breach Resolution 14

15 I think for healthcare organizations and for their business associates, the big threats come from the insiders. -Kate Borten, Founder, The Marblehead Group 15

16 Analysis Breach and Risk Assessments: The Trends Kate Borten, Founder, The Marblehead Group Information Security Media Group: Do you think it s possible that more organizations are experiencing breaches than they realize, and is it possible that incidents are not being properly assessed for breach notification under HIPAA Omnibus, or perhaps even worse, not being detected or reported at all? Kate Borten: I think you re exactly right, unfortunately, even though this is not a new topic for healthcare. There are still so many organizations that I encounter where they are still struggling with what constitutes protected health information. Let s say a list of patients at your practice is printed out and gets dropped in the parking lot, if you don t recognize that simply a patient s name associated with your organization is PHI and has to be treated as an incident and investigated to determine if in fact that is a HIPAA violation, then I think you clearly are missing out. And this is all too common. I suspect there are many more breaches occurring that aren t even recognized and it has to be at the ground level, the individuals. This isn t just manager training. This is workforce-wide. Then the second issue is, are organizations actually identifying: This is a privacy/security incident; I need to go through that process that HHS laid out in the Omnibus Rule. ISMG: What do you think are the best ways for organizations to improve their breach detection? Borten: Any reasonable technology that we have we should be using. I noticed in the survey more and more organizations are actually implementing some data loss prevention, or DLP, technologies. If we look at the [major] breaches on the HHS wall of shame, there is still a lot that we have to do to get control of mobile portable devices and media. So I think encryption is something that should be a no-brainer. Not that it s trivial to implement, especially if it s not on your own devices but user-owned, but I think we have a long way to go. Too many organizations still haven t figured out, What is our policy? Are we going to permit our workforce to use their own computers? And that goes down to tablets and smart phones for work purposes. If so, what kinds of protections are we going to impose? If you re going to use your own smart phones, these are the rules you have to play by. I think that is a You d better be looking at risk to PHI wherever it is and in whatever form. -Kate Borten, Founder, The Marblehead Group huge technological challenge that we still haven t really largely met. And the other is my pet topic workforce training. Most of the organizations, if not all that I deal with, fall way short in terms of the content and delivery of adequate workforce training. 16

17 ISMG: When it comes to the fallout of breaches, what do you think organizations should be most worried about? And how should they prepare to deal with the aftermath of a breach? Borten: For more and more organizations that I deal with, one change in just recent years is they are buying cyber-insurance. Each policy has to be looked at closely in terms of what would be covered. But that just helps alleviate a little bit of the financial hit; it doesn t really deal with things like future revenue and reputation losses and so on. Again, I think the way to deal with it is reduce the likelihood that you re going to have a breach, which means a stronger information security program to begin with. ISMG: What are the biggest mistakes that you see organizations making in their risk assessments? Borten: It s common to see a smaller organization simply using some vendor checklist - that doesn t go far enough. I think to do a risk assessment really properly, you need someone, whether internal or external, who has some security background so they really get it.... It s still a struggle for many organizations. It s still very much a question of, For [HITECH Act] meaningful use, do we just have to look at the certified electronic health record? Do we just look at the technology? Are we supposed to be looking at policies and procedures? Do we need to do a risk assessment on any other system? Well, any organization, even a small office, is likely to have PHI in a practice management system, for example, as well as in the EHR, or in billing systems. There are all kinds of PHI everywhere, even in small organizations. The answer is, you d better be looking at risk to PHI wherever it is and in whatever form. Kate Borten is president and founder of the security and privacy consulting firm, The Marblehead Group. Before launching the firm, she led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its chief information security officer. 17

18 Sponsor Analysis (ISC) 2 s Perspective on How to Improve the State of Healthcare Security through Better Security Awareness & Education By Dan Houser, CISSP-ISSAP, ISSMP, CCFP, CSSLP, HCISPP, SSCP, Member, (ISC) 2 Board of Directors In healthcare, front-line medical professionals must make critical decisions that affect patients, not only in matters dealing with their care, but also the vast amounts of data and information in their medical records. In healthcare IT, we too are faced every day with critical choices, and as with medical practitioners, there can be substantial consequences for a misstep. Two critical areas of decision-making in healthcare IT are managing security and privacy. A key flaw in a healthcare system can effect patient health, lead to downtime, data theft, or the loss of compliance with crucial standards such as HIPAA Omnibus and the HITECH Act. As with medical professionals, a security professional s decisions, assessments and actions can make the difference between health and infection, the consequences of the judgment effecting the overall environment and even patient care. How IT security professionals learn to make better decisions is most significantly through experience, but training and education play a huge part in equipping security professionals to address mission imperatives in an emerging threat environment. Without the right training, particularly in an environment facing substantial change and sophisticated threats, a security professional could end up causing more harm than good. The new survey, sponsored by (ISC)², reveals some interesting data points around security education and privacy awareness among healthcare IT professionals. The survey of about 200 senior executives at hospitals, integrated delivery systems, clinics, health plans and other healthcare organizations found that the top information security priorities named by survey respondents are:»» Improving regulatory compliance;»» Improving security awareness/education for physicians, staff, executives, and board;»» Preventing and detecting breaches;»» Monitoring HIPAA compliance of business associates; and»» Encrypting mobile devices. As a healthcare professional and a member of (ISC) 2 the largest information and software security certification and education body in the world I m enormously interested in this data because it represents challenges that our customers face every day. What jumps out to me most is the focus on improving security awareness and education. This is no longer a nice to have it is a must have for every IT department. This charge to improve security and privacy education effects nearly every aspect of a healthcare organization in order to meet regulatory compliance standards and protect patient data. The study also finds that nearly 50 percent of respondents have put in place some kind of documented information security strategy and that the biggest threat is coming from within, not outside hackers again pointing to the human side of errors and vulnerabilities. Many healthcare professionals understand these human vulnerabilities. When asked what steps they are taking to prevent breaches, the majority cited training as a core strategy. In fact, 63 percent said they plan to step up training on privacy and security issues by far the most commonly cited answer, chosen consistently over more technical solutions such as audit tools and encryption. 18

19 When looking at their overall security priorities, healthcare IT professionals also ranked education as a top priority. Nearly half (48 percent) of respondents ranked improving security awareness/ education for physicians, staff, executives, and board as a top priority for the coming year even more than those who cited preventing and detecting breaches (37 percent). Interestingly, the number one security issue cited improving regulatory compliance (50 percent) also includes an educational component. When asked what their biggest challenges were in implementing the HIPAA Omnibus Rule, half of healthcare IT professionals said training and educating the workforce on compliance changes even more than those who cited potential issues with revising business associate agreements (46 percent). All of these responses offer a single lesson in healthcare IT security: that training, education, and skills development frequently outweigh process and technology issues when it comes to getting the security job done. This is a critical lesson: Because to be successful, healthcare organizations need to devote time and resources to these educational issues. Clearly, educating medical professionals in privacy and information security is no longer optional, it s a market imperative. For healthcare IT practitioners and the medical facilities where they serve, security education is a critical, ongoing process that will secure and protect critical systems. - Dan Houser, Member of Board of Directors, (ISC) 2 Without a doubt, it s time to refocus our security initiatives toward security education in the healthcare industry. (ISC) 2 has led this charge by building a unique and valuable healthcare IT certification, the Healthcare Information Security and Privacy Practitioner (HCISPP). I believe that this certification will help healthcare enterprises find and employ the skilled security professionals they need but enterprises will need to add their own training and education initiatives as well. Much remains to be done to protect critical healthcare systems and patient data. For healthcare IT practitioners and the medical facilities where they serve, security education is a critical, ongoing process that will secure and protect critical systems Dan Houser is senior security and identity architect for a Global 100 healthcare organization, based in Columbus, Ohio. In addition to providing information security architecture and risk management subject matter expertise, he drives the organization s security and identity and access management strategies. Houser is a published author of research papers on identity and security, and holds the CISM and CGEIT certifications. He is an often sought after instructor and speaker. 19

20 Risk Assessment: Getting Better or Cutting Corners? HIPAA and the HITECH Act both require risk assessments, and organizations that fail to conduct a thorough and timely risk analysis face potential enforcement actions from HHS. OCR has already issued hefty fines to organizations that have experienced breaches and lacked a current risk assessment that could have helped prevent the incidents. The agency also plans to resume random HIPAA compliance audits in 2014, which likely will take a close look at whether organizations have documented a HIPAA security risk analysis, a weakness found at many organizations during OCR s 2012 pilot audit program. Additionally, HHS is expected this year to audit some healthcare entities that attested to meeting meaningful use criteria of the HITECH Act electronic health record incentive program, which also requires a HIPAA security risk assessment. These enforcement activities may have contributed to the improved results for risk assessments in our latest survey. More than threequarters of healthcare organizations surveyed said they conducted a risk assessment in By comparison, the previous year s survey found that only two-thirds of entities conducted an assessment within the past year. Of organizations that did perform a risk assessment in 2013, 59 percent say that the risk assessment was triggered, at least in part, by the entity s participation in the HITECH Act s electronic health record incentive program. consultant, says Borten of the Marblehead Group. I think in many cases it is directly related to applying for meaningful use incentive payments. But it s very distressing that this is very often the first risk assessment an organization has ever performed in spite of the fact that this has been a requirement [under HIPAA] since 2005, Borten says. Chaput of Clearwater Compliance says many risk assessments come up short. The reality is there is just not good empirical data that would suggest that there are strong and appropriately robust risk analyses being performed, he says. So I m a little leery when I see statistics like only 18 percent have not [performed one]. We re seeing too often organizations just don t understand the basics of risk, not to mention doing a risk analysis. For instance, Chaput notes, We ll often say, OK you ve done a risk analysis. Tell me about these words: assets, threats, vulnerabilities, controls, likelihood, and impact. When you did your risk analysis, were those the pre-eminent discussion points that were occurring? And we re finding too often it s not the case. People are doing control reviews, and that is not what is required in the regulation. What we ve generally observed is that the risk analyses that are being performed, I ll call them immature. Did your organization conduct a detailed information technology security risk assessment/analysis in 2013? Yes, we conducted it internally Yes, we hired a third-party firm to conduct our assessment No I don't know 44% I am seeing certain covered entities stepping up risk assessments, whether they are performing them internally or bringing in a 20