Cybersecurity and Assessments for Hospitals: From 0 to 100
Posted on: May 4th, 2023 02:41 pm
Hospitals and provider organizations are entrusted with patient data that is among the most valuable to cybercriminals while at the same time among the most highly regulated (HITECH act/HIPAA Rule).
On top of this, a medium-sized hospital system operates several hundred software packages and hundreds of different types of connected medical devices.
Additionally, they manage access to those systems for thousands of people and will have up to hundreds owned medical practices, imaging centers, hospice facilities, home health locations, and other subsidiary entities that support a patient’s full care lifecycle needs.
Against this backdrop, how should these health systems view the task of deciding how to assess physical access risk, cybersecurity risk, and regulatory compliance?
HIPAA SRA/PBRA assessments form the minimal regulatory assessment needed in today’s environment.
HHS/HICP is about to release 405(d) standards as part of a broader cybersecurity preparedness program and a provider organizations’ cyber insurance carrier will look for still more forms of prevention.
Whatever standard you choose, your assessment will focus on the same core common areas of prevention:
- Protection of PHI from all forms of unauthorized access and confiscation
- Technical safeguards to protect applications, networks, user access, and parent/child entity access
- Policy and procedural safeguards to ensure the faithful execution of company security and privacy practices from user onboard/offboarding to patch release management and everything in between.
Steps To Completing HIPAA SRA and PBRA Assessments
The process of completing the assessment is almost identical across the commonly used methodologies:
Let’s discuss these steps, with some suggestions.
1. Data Gathering
It is important to collect enough information across all three areas to capture “enough” of your system’s current state.
How much is enough? It depends. There are a series of considerations that drive the answer:
- Where do you perceive your greatest risk?
- Have there been past breaches?
- What are the most vulnerable access points?
- Have new applications been implemented?
- Has new functionality been deployed throughout your care team network?
- Will you conduct a data sample or an entire population?
Your Cybersecurity partner should be well-versed in healthcare technology, operations, regulation, and business risk in order to help you navigate these decisions.
2. Gap Identification
Based on the data collected:
- What are your gaps compared to the benchmark set for the method you are using?
- How significant are these gaps in terms of size, number, and perceived impact?
- Based on the severity and number of gaps, can you put them in a list ordered by urgency and priority?
3. Risk Remediation Plan
Take your list from step 2 and analyze the expense, effort, skills, and time needed to address each gap.
Now that you have this analysis, discuss the relative risk improvement, available budget, and available talent sources to formulate a plan of when you will address these risks.
4. Current Risk Level
Even though you have a plan, you have not executed or fixed the identified gaps yet.
As a result, you have a current risk level and a planned set of steps to fix the most important identified risks.
This is where you can engage with stakeholders to gain their alignment on all your work thus far so that the leadership team is fully aware of the organization’s current risk level, the most important steps needed to improve, and the needed investment/changes to achieve the planned improvement.
It is also very helpful at this stage if you can have some comparative data to help your leadership team understand how your risk compares to similarly situated organizations.
5. Continuous Remediation
Security and compliance are a journey, not a destination.
You will need to keep track of the improvement achieved by fixing the gaps in your plan while at the same time regularly checking your data to identify new risks as they emerge, evaluate them, and add them to the plan.
Given the range of systems, hardware, facilities, and software that you must assess, it is likely that you will have a fragmented collection of risk assessments (and remediation needs) for all these different parts of your organization that you have to protect.
A unified view of all risks across these areas with prioritized remediation, required investment, and a plan to execute would be ideal. With this information, a security team can keep its stakeholders fully informed on the entire security improvement program with real transparency and accountability across the leadership team.