Risk Assessments in the time of Covid

With apologies to Gabriel Garcia Marquez

COVID-19 has posed many and severe challenges to the entire healthcare sector. One of the lesser challenges is how to conduct business, in particular a security risk assessment, while facilities aren’t accepting visitors, many employees are working from home, and business travel is quarantined or restricted.

In our experience (over 10 years and 1500 clients), the benefits of an on-site assessment are two:

  1. Face-to-face conversations are better than phone calls or video conference.  Real-life has a higher bandwidth than the fastest network connection. The conversation flows better, is more productive, covers more details, and addresses those details in greater depth when it’s live and in-person than over a wire.  No one has ever said “just one more thing” while on their way out of a Zoom call.

  2. The serendipity of an actual site walkthrough cannot be replaced. 19 times out of 20, a site walkthrough produces no findings. But that twentieth time makes up for it. Some item we’ve discovered while “just walking around” include USB drives where they shouldn’t be, passwords taped onto monitors, disabled screenlocks, and most memorably, a quarter inch of water in the data center (a dehumidifier had sprung a leak).

If we cannot physically come on-site, then how do we make a remote risk assessment as good an alternative as possible? Some additions we’ve made:

·       Maximizing discovery: Perhaps the biggest risk is missing a resource that is not high-profile; but nevertheless presents a great deal of information security risk. We manage this by creating the system inventory with great care, obtaining review from as many stakeholders as possible, reviewing the catalog against as much written documentation as is available, and validating the catalog during each discovery interview.

·       Confirming the criticality of resources: A resource that is unimportant to one party may be vital to another. As criticality is an important component of risk, we validate our understanding of each asset’s criticality with multiple stakeholders; and test the findings against our deep healthcare experience.

·       Expecting the Unknown: Close coordination and communication with our clients enable us to handle any unforeseen problems that arise. We have regular status reports, progress reports, touchpoint calls, and a Quality Assurance process to enable us and our clients to respond to the unforeseen.

Compared with a patient on a ventilator, this is very small potatoes. But when they say “COVID has changed everything”, that includes Security Risk Assessments.  Risk doesn’t go away – we must manage it as best we can.