Articles & E-Books

 

Why security risk management isn't a once-a-year event

Nov 11, 2019

How often does your organization identify and assess risks to sensitive/confidential organizational data/information? 

All too often I see healthcare organizations consider cyber and information security risk management a once-a-year event. They perform a program-wide risk assessment to determine where their gaps in security are, decide whether to fix those gaps or leave some as acceptable risk, and then forget about security for another year.

But like all business risk, information security risk management is a daily issue.

Gap analysis vs. risk analysis

It is not uncommon for many healthcare organizations to perform an annual gap analysis and call it a risk assessment each year. However, theHealth Insurance Portability and Accountability Act (HIPAA)requires healthcare orgs to safeguard electronic protected health information (ePHI) through “reasonable and appropriate security measures,” including a risk analysis. 

Providing much-needed guidance after years of confusion, in 2018 the Office for Civil Rights (OCR) cleared up the confusion about the differences between a gap analysis and a risk analysis.

In layman’s terms, risk analysis as a component of risk management, consists of: 1) identification of possible negative external and internal conditions, events or situations, 2) determination of cause-and-effect (causal) relationships between probable happenings, their magnitude and likely outcomes, 3) evaluation of various outcomes under different assumptions, and under different probabilities that each outcome will take place and 4) application of qualitative and quantitative techniques to reduce uncertainty of the outcomes and associated costs, liabilities, or losses. 

A gap analysis is a comparison of a company’s current performance with what it could perform— in other words, an evaluation of actual performance versus target performance. Gap analysis is a technique that organizations use to find out what they need to do to move from their current state to a future one. Specifically, a future state that they desire. The “gap” is the difference between where the company is and where it wants to be. In other words, the difference between its current and target states. 

Given this guidance from OCR — and the penalties they levy for noncompliance — I’ve been advising clients to read the guidance OCR released so they fully understand what a risk analysis encompasses and how it may differ from what their organization has been doing. And I encourage them to think about information security risk management as a daily, not yearly, event.

The three barriers to change

Easy said is easy done, right? 

I often see three barriers to implementing a more comprehensive information security risk management program. Let’s quickly touch on them and move on to some tips to overcoming these barriers.

  1. Lack of time: Security risk management is often relegated to IT, which is already overloaded with managing the technology needs of the business. 
  2. Lack of knowledge: Naturally, security then gets secondary importance from a person or people who aren’t security specialists. 
  3. Lack of leadership support: Some leaders tend to have a “it’ll never happen to us” mindset or see other organizational issues as taking priority over security. Thus, security risk management doesn’t get the budget it needs, or leadership support from a decision-making standpoint. 

So how can you help your organization overcome these barriers?

Tip #1: Work with a virtual CISO

If your healthcare organization has labeled security as IT’s job, my top tip is enlisting the help of a virtual chief information security officer (CISO). This virtual CISO is a seasoned security professional, but they don’t become your acting CISO. 

Rather, they act as a mentor to help boost the security abilities of an existing professional in your organization. Or they can act as an advisor to your board to lend their expertise and help board members understand the sheer importance of security in today’s risk-heavy world, as well as the ramifications of not mitigating risk.

Tip #2: Piggyback on your other risk management

I also recommend treating security risk management no differently than you do patient or financial risk management. 

If your security risk management isn’t as mature as it needs to be, review your patient and financial risk management processes and consider either mimicking them for security or even partnering with those who created them on developing an organizational risk management program that considers all the risks that your organization is or may be exposed to on a daily basis.

Honestly, regulations don’t say you have to do security risk management in a particular way. You just have to do it. But it has to be a day-to-day function to be successful. Focusing on it only once a year leaves your organization wide open to security threats to your sensitive/confidential data.

Tip # 3: Form a security privacy council

IT people may know how to maintain a firewall, harden servers and perform other operational security tasks, but they should not be expected to know everything about organizational information security risk management. Similarly, compliance people understand how to put together policies and procedures, but they don’t know everything that goes into information security risk management. 

I recommend bringing these two groups together — along with a C-level leader as a sponsor who can make decisions — into a security/privacy council. Get rid of these silos, bring the expertise of IT and compliance together, and consider bringing in a virtual CISO to act as a neutral advisor to fill in the gaps when it comes to information security risk management. 

This way, IT and compliance can not only know what the other is doing but also combine their security-related efforts to create a comprehensive risk management program. From workforce training to risk management to effective governance, you can make sure everything gets covered if you have a council that keeps each other informed and makes inclusive decisions on security. 

Getting started

If you have any questions about how to get your healthcare organization to focus more on information and cybersecurity, contact Wipfli. We are experienced in providing board education, performing a wide range of security assessments and testing, creating policies and procedures, and providing virtual CISO services.

Or you can keep reading on about healthcare security in these blogs:

Does your health care organization struggle with risk management?

What you need to know about transmitting patient health information

Opinion: It’s time for a federal third-party security certification in healthcare

Author(s)

Rick Ensenbach
Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP
Director, Risk Advisory Services
View Profile