Every year, medical practices that accept Medicare and Medicaid insurance are required to perform a Security Risk Assessment to comply with HIPAA law. This comprehensive list of questions helps each practice realize what threats they face in the modern digital world, and what their defenses are. It does not, however, answer the question of what to do if an attacker gets into your systems.
How does an SRA help mitigate a data breach?
Consider the following increasingly common situation: workers at a small healthcare facility come into work on a Monday morning to find that their data on the network drives has been encrypted by an attacker who left a ransomware note on the server: Pay us in crypto, or we’ll post all your files on the internet for anyone to see!
The IT team restores the data from backup, but what about the other threat? How do you know if the attackers exfiltrated data? Does anyone know what is in all those files on your network that have been around for decades? The answers to these questions become critically important, because if PHI was stolen, the practice must notify all their patients.
The goal of an SRA is to educate the practice on what threats it faces in the modern world, and check for gaps in its defenses. The above scenario should be explicitly considered when assessing your IT systems due to its increasingly common occurrence and the impact it can have on a medical practice.
Security Risk Assessment Basics
HealthIT.gov has a great introduction to performing an SRA. The excel spreadsheet available on their security risk assessment tool page gives a checklist for any practice to go through all the potential ways their PHI could be stolen.
Experts recommend that you hire a 3rd party to perform the assessment, for a multitude of reasons. The assessment is a consideration of more than just IT capabilities, such as facilities management and operations. Your own IT department might have missed something or may lack expertise in a specific area that a 3rd party would notice with a fresh and objective set of eyes. Generally, people assessing their own work may overlook flaws or skip details.
Advanced Security Risk Assessment
The HealthIT.gov spreadsheet is undoubtedly a good starting point. However, it asks black and white questions when what you need are the whats, wheres, whens, whys, and hows. You can check the box for “do you keep logs for X?” But an experienced SRA provider will probe to understand where the logs are kept and how they’re maintained. This deeper insight will help create actionable plans based on the findings of the SRA.
When hiring a company to perform an SRA, here are some of the advanced items to include in the scope of work:
1) Examine the data on our network and identify which files contain PHI
2) Identify which devices on my network are vulnerable or unpatched
3) Make suggestions for how to remediate those vulnerabilities
4) Document location of log files that would be needed in the event of a breach
5) Verify the information inside those logs would tell the story of what happened in the event of a breach.
The answers to these five questions should have results specific to your practice that can become the foundation of your cyber disaster recovery plan, which is touched on in Section 7 of the spreadsheet.
Bad Assessments
Here are a few signs that the company performing your SRA is merely checking the boxes and providing little valuable information to your practice.
1) The assessor asks the IT Team to connect to only one machine. The assessor finds that the computer is running security software, has the most recent windows updates, and has full disk encryption, and then concludes that all computers in the network must also be fully hardened.
This provides no real evidence that all the computers have security software and updates. A list of all devices in the network and their patch/security/encryption status is necessary to make this determination.
2) The assessor asks if there are any unpatched or vulnerable devices on the network.
A good assessment will perform a scan of the external and internal network for vulnerabilities.
3) The assessor asks if you monitor or log system activity and moves on.
It is vital for your practice to be able to identify what is being logged, where the logs are stored, and how access to these logs is protected.
A Good SRA Empowers Your Practice
If your practice goes through the SRA questionnaire and answers yes or no but doesn’t document answers, the practice is missing a huge opportunity to prepare for the future. Each question is designed to mitigate against one or more threats; over the lifetime of a medical practice, some of these threats will inevitably become reality.
NRVPC has worked in the healthcare IT field since 2011. If you’re looking for someone to perform a security risk assessment for your practice, please contact us at (703)400-6937 or inquire here