Whether your organization falls under HIPAA, FISMA or PCI DSS you need to do a risk assessment. Yes it's a good thing to do self-assessment but in order to prepare for a full compliance audit it's important to get an independent outside consultant to perform this critical assessment.
I have worked in and audited many organizations that all too often wanted to do the minimum and were completely unaware of their full responsibility to meet their compliance. They also in many cases did not have the internal staff or expertise to do a high quality assessment.
To begin, let's look at HIPAA. From hhs.gov, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information. The Security Rule still focuses on individual's health records but specifically focuses on ePHI, Electronic protected health Information. Under the Security Rule, covered entities are required to evaluate risks and vulnerabilities in their environments and to implement security controls to address those risks and vulnerabilities.
Let's define compliance vs security. As I recently stated in a quote I made in the Nov 17 issue of Fortune, "How Frank Blake kept his legacy from being hacked", "Compliance is backward-looking and static, security is forward-looking, dynamic, and intelligent." Compliance is the foundation for security, it's the minimum.
You can't be secure if you are not compliant! A risk assessment will achieve compliance and actually make your organization more secure. The HIPAA Risk Assessment is required by law for HIPAA compliance, it's not optional.
NIST 800-66 Appendix E Risk Assessment Guidelines
- Scope the assessment. Where is the ePHI? Servers, Workstations, smartphones, Laptops, backups, cloud backup?
- Gather information. The conditions which ePHI is created, received, maintained, processed or transmitted.
- Identify realistic threats.
- Identify potential vulnerabilities. Save
- Assess current security controls.
- Determine the likelihood and the impact of a threat exercising a given vulnerability.
- Determine the level of Risk.
- Recommend security controls.
- Document the risk assessment results.
I have worked in many technical roles as well as performed many compliance audits as a consultant; we keep seeing many of the same things. No physical access controls, no vulnerability management, no PEN testing, no data loss prevention on mobile devices, no backups or backups not tested or not encrypted, account management issues, weak passwords or no separation of duties just to name a few. Just take a look at the Verizon data breach investigations report, it states most attacks are not highly difficult. Why? Because they involve the things required by compliance and too many organizations are weak on compliance. Besides the HIPAA law, why do we need to do risk assessments?
The HIPAA Risk Assessment
From hhs.gov RISK ANALYSIS Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
The following questions adapted from NIST Special Publication (SP) 800-66 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:
Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
What are the human, natural, and environmental threats to information systems that contain e-PHI?
Notice they leave some room for reality by stating the sample questions are not prescriptive but rather issues an organization might consider in implementing the Security Rule.
NIST 800-66 states it this way:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.
- A risk assessment methodology, based on NIST SP 800-30, is included in Appendix E of this document.
- Are there any prior risk assessments, audit comments, security requirements, and/or security test results?
- Is there intelligence available from agencies, the Office of the Inspector General (OIG), the US-CERT, virus alerts, and/or vendors?
- What are the current and planned controls?
- Is the facility located in a region prone to any natural disasters, such as earthquakes, floods, or fires?
- Has responsibility been assigned to check all hardware and software, including hardware and software used for remote access, to determine whether selected security settings are enabled?
- Is there an analysis of current safeguards and their effectiveness relative to the identified risks?
- Have all processes involving EPHI been considered, including creating, receiving, maintaining, and transmitting it?
There are too many documents and rules and regulations, so sorting it all out can be confusing, but to do the actual Risk Assessment you must look to NIST 800-66 Appendix E.
With the federal mandate to put more healthcare records online, data breach after data breach spanning healthcare, military, retailers, and universities have become common. One must ask the question, what's the root cause?
According to Leon Rodriguez, Director Office Civil Rights, US department Health and Human Services, since the HITECH Act, HIPAA complaint traffic geometrically increased. In the last three years, there have been over 70,000 HIPAA violation complaints. Pre-HITECH, the maximum penalty per year per provision violated was $25,000. Now it's $1.5 million.
Before the new rules, willful neglect had to be proven to pursue any type of penalty. Any lesser measure of culpability was not actionable through penalties. But consumers need confidence that there is an effective enforcement entity if they are going to feel comfortable being forthright in sharing sensitive health information. The HIPAA penalties applied were due to:
- Failure to have adequate HIPAA compliance policies and procedures as administrative safeguards.
- Failure to complete HIPAA security training for their staff.
- Failure to implement access controls as physical safeguards.
- Failure to encrypt the information on the device or an equivalent protection.
In 2009, the breach notification for unsecured protected health information was enacted, the U.S. Department of Health and Human Services' database of major breach reports (affecting 500 or more people) has tracked 944 incidents affecting personal information from about 30.1 million people. There are also many more incidents of smaller-scale breaches (less than 500 people per incident). In 2012, HHS received 21,194 reports of smaller breaches affecting 165,135 people, according to the department's most recent report to Congress. Similar numbers were reported in 2011. In all, data breaches cost the industry $5.6 billion each year, according to the Ponemon Institute.
It's obvious that we are pushing more healthcare data out than we can possible safely secure. We see basic compliance failures across all industries. CEOs need to take the lead and put policies, and processes in place that assure that 100% of the compliance objectives are met, this includes the mandated HIPAA risk assessment (no matter how small the healthcare practice) and at that same time start focusing on proactive, intelligence driven security monitoring and response. We can no longer do some compliance or some security or work in silos, our adversaries are well organized and funded and will stop at nothing to take what we are unable to properly secure for their personal gain.
We must always remember that "we must think of every way our data can be compromised, while a cyber-criminal only needs to think of one!"
George Grachis, CISA, CISSP, is a senior consultant with Maxis360, located in Orlando Florida. He can be reached at Maxis360.com or Ggrachis@maxis360.net.