St. Elsewhere is a very typical small to mid-sized standalone hospital. They are caught between declining reimbursements and rising costs, and must operate as leanly as possible. In the Information Technology department, this translates into shrinking budgets, a focus on the bottom line, and all of the staff wearing many different hats. Despite this, the amount of information and variety of tools deployed only goes up from year to year, as does the need to secure it all. St. Elsewhere’s IT team has to do more with less.
The Problem
St. Elsewhere’s leadership knew that their security was OK, but could be better. They’d had a few near-miss events that could have become security breaches, but luck and exceptional effort on the part of the IT team had contained them. But they didn’t want to count on luck. The compliance requirement of a Security Risk Analysis, for both HIPAA and MIPS, was the immediate driver for them to seek outside help.
They needed two items: An independent assurance that there were no disasters lurking in the near future, and a realistic plan to improve – not by throwing money at the problem, but by intelligently using the people and technology they already has in place, and limiting new spending to items with a very clear ROI.
Our Solution
Techumen performed a HIPAA Security Risk Analysis for St. Elsewhere, following the NIST 800-30 standard and referencing the latest Office of Civil Rights’ (OCR) enforcement actions and corrective action plans. Meeting the compliance requirements was a must. But compliance is also the start of good security, not the end. The best risk analysis in the world is useless if it doesn’t lead to good recommendations. Too many risk assessments deliver a mile-long list of every possible improvement, with an eye-watering price tag to match. An organization like St. Elsewhere needed practical, resource-aware corrective action plan that did not unduly impact operations, while still managing the identified risks. “Buy these expensive products which will solve all your problems” was not an acceptable answer.
The first priority to fix was the few compliance gaps Techumen found – 3 areas where the HIPAA Security Rule Safeguards were not implemented in a “reasonable and appropriate” fashion. There were a few shared passwords that prevented individual accountability; user account actions (add, change, edits) needed better documentation; and the CIO made risk acceptance decisions that needed to be vetted by the Executive Committee. These gaps could be all closed with better processes, not capital expenses.
The next priority was to address the high risks, using the technology tools already in place. In particular, St. Elsewhere’s patching was not quite at 100% – but patching is worth getting as close to 100% as possible. Techumen improved the process, using a mix of automation and manual efforts, to get the last 20% in.
The third tier of priorities was more complex, as it had more dependencies and required more investment, both in staff time and money, to bring to fruition. Items in this tier included more robust disaster recovery capabilities, more automation of log monitoring, a more rapid retirement of obsolete and unsupported applications, and a more robust IT audit program. The recommendations in this tier all addressed risks, but these risks were not so severe as to disrupt other IT priorities (such as EMR optimization) or to justify spending a large amount of money / dedicating a lot of staff time.
The Process
Phase 1: Discovery
In this phase, Techumen reviewed the people, processes, and technologies that supported information security risk management at St. Elsewhere. We started by interviewing 12 key personnel, including the Privacy Officer, the Helpdesk Lead, the head of HR, the lead Network Administrator, the lead Systems Administrator, and the application support teams. We then reviewed all documentation relating to the Information Security and Compliance programs at St. Elsewhere, such as policies, standard operating procedures, network diagrams, product documentation, test plans and results, meeting minutes, sign-off sheets, training material, and after-action reports. We reviewed a sample of key system and log files to ensure controls were functioning as designed. Lastly, we assessed the physical security in place using a combination of physical walk-throughs, site surveys and telephone interviews.
Phase 2: Analysis
With discovery completed, we compared St. Elsewhere’s current state to the requirements of the HIPAA Rule(s), additional guidance provided by the Office of Civil Rights during their enforcement actions, and industry best practices. We also used our proprietary Risk Assessment toolset, based on the NIST 800-30 standard, to assess St. Elsewhere’s security. We looked at risks to the confidentiality, integrity, and availability of St. Elsewhere’s electronic PHI. This assessment formed the basis of the corrective action plan, help improved risk management overall, and met the HIPAA requirement to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities” to ePHI.
Phase 3: Recommendations
In this phase, Techumen and St. Elsewhere worked together to develop a practical, resource-aware corrective action plan for St. Elsewhere. A collaborative effort was essential – no one benefits from a plan that sits on a shelf and gathers dust. Nor does anyone benefit from a plan that cannot or will not be implemented, due to lack of staff, competing priorities, or insufficient funding. The goal in planning is to find the balance between setting goals that the organization can achieve with some effort, and making sure that effort is directed in the best direction.
St Elsewhere’s Involvement
We do not want our assessment to unduly burden our client’s personnel, but we do want to ensure a thorough discovery process. The client involvement is limited to:
-
Identifying key personnel to interview, and making them available for interview in a timely fashion. We typically interview between 10-20 people, for 30-90 minutes.
-
Identifying and producing documents, files, and logs in a timely fashion. Depending on the state of documentation, this has been from zero to 1000 pages of material.
-
Reviewing deliverables, especially the recommendations. While we don’t want to make recommendations that simply cannot be implemented, we do want to lead our clients to a better future state then where they are now.
Conclusion
Information Security is not a matter of spending a lot of money. A thoughtful, creative plan that takes into account the organization’s limits and goals, while still including best practices from industry and governmental sources, is a far better approach to problem of information risk management. If you find yourself with more risks and questions than dollars and cents, Techumen can help.