Security Risk Assessments (SRA’s) are foundational to a healthcare organization’s ability to identify vulnerabilities to their ePHI data. After discussing this topic with many healthcare leaders, it has become apparent that many leaders struggle to maintain continuity in pursuit of this yearly required objective.
Leaders more often view SRA’s as a 1 time a year reactive task performed out of necessity to fulfill obligations required by CMS’s promoting interoperability programs what was formally known as medicare and medicaid EHR incentive programs. Since many healthcare leaders are tasked with juggling many objectives it becomes obvious why it may be more convenient to put aside this task closer to an approaching reporting deadline.
Deven McGraw, OCR enforcement deputy for The Office for Civil Rights (“OCR”), the government agency responsible for enforcing HIPAA explains that nearly every breach case investigated by the department originates from a hospital that fails to perform a risk analysis. For those that performed a risk analysis, many failed to identify the steps needed to mitigate risks and took no further action. Many entities only look at their EHR systems, but not other information-collecting systems in their environments, and not connected devices," she notes. "These routinely get left out”.
We see further evidence of McGraw’s statements in that later in the calendar year, we often receive a flood of communication from healthcare providers who desire quick turnaround on conducting their yearly SRA’s, often in a panic for them to meet a reporting deadline. This can negatively affect all parties as entities may struggle to quickly procure funding for this task and may find it difficult for them to find available resources able or willing to commit to performing the SRA to meet a quickly approaching deadline.
To address these issues, we decided to employ a different model to better address timing challenges around SRA’s. Why can’t we deliver a better result and make this an easier process for everyone involved? With significant dollars incentives or penalties on the line, doesn’t it make sense to approach this process to be more proactive to ensure that SRA’s are timely, effective, and efficient in meeting obligations relative to this important security and compliance effort?
We propose that SRA’s as a best practice should be accomplished in phases throughout the year with an ongoing monthly billing cycle. This model is more in line with an “as-a-service” (subscription) style offering which allows flexibility in yearly budgeting and provides assurance that comprehensive SRA objectives will be completed in time for reporting purposes. This optimized approach will be most effective with entities who struggle to find the resources and expertise to carry out compliance activities and remediate findings that fall below HIPAA and PCI standards.
Mandry Secure Compliance-as-a-service compliance activities in a yearly cycle:
The fact is that you can’t hit a target that you can’t see. If you don’t know where you are going, you will probably end up somewhere else. You must have goals. – Zig Ziglar
Healthcare providers who choose a reactive model to conducting SRA’s are missing out on gaining visibility and insight to their risks and consequently end up risking patient trust. It can take years to build patient trust and only a moment for it to be destroyed. Securing digital assets can no longer be delegated solely to the IT department.
Just recently 35,000 patients have been notified that their personal information may have been disclosed in a data security breach says Wise Health System in Decatur, Texas. The hospital stated that it was investigating a phishing attack, which led to the security incident.
“On March 14, 2019, an email phishing campaign was launched against Wise Health System,” the press release said. “Unfortunately, a few of Wise Health System’s employees provided their user names and passwords in response to this phishing email.”