Security risk assessments are difficult, but necessary.
One of the knottiest challenges facing medical practices today is protecting the security of electronic patient information. For both operational and regulatory compliance reasons, practices must perform security risk assessments to find out where they are vulnerable so they can plug the holes. If they don’t, they are much more likely to suffer a security breach that compromises patient data or locks them out of access to their vital records. They could also be fined for not complying with government regulations.
For a security risk assessment, practices don’t necessarily have to hire a security consultant. They can learn much of what they need to know by downloading publicly-available security risk assessment tools. Read on to find out how to do that and how to use these tools.
Security risk assessments are required by the security rule of the Health Insurance Portability and Accountability Act (HIPAA). In addition, the federal electronic health records (EHR) incentive program, popularly known as “Meaningful Use,” mandates them, as does the successor to meaningful use, the Advancing Care Information category of the Merit-based Incentive Payment System (MIPS).
Despite these requirements and the increasing threat of cyber attacks, many small practices have “huge gaps” in their security procedures, notes Lee Kim, JD, director of privacy and security for the Health Information Management and Systems Society (HIMSS). Some doctors and practice managers believe that if their system has a firewall and is password-protected, they’re secure, she says.
Kim and other experts doubt that small practices can do adequate security risk assessments on their own, even with the help of online risk assessment tools available from HIMSS and the Office of the National Coordinator for Health IT (ONC).
“They can try to tackle it themselves, but there’s so much to sort through,” says
Nathan Gibson, director of IT operations and privacy officer for WVMI Quality Insights, based in Charleston, West Virginia.
Gibson and Kim both recommend small practices enlist the help of security consultants. But they recognize it’s expensive: hiring a consultant for a security risk assessment can easily cost several thousand dollars, Kim notes. And that doesn’t include the cost of repeat assessments-which should be done at least once a year-or the cost of mitigating security problems.
Gibson says that a large group’s IT staff can handle security risk assessments on its own. That approach has proven successful for some groups. For example, Susan Harrington, IT director for Emerald Physicians, a 50-provider group in Hyannis, Massachusetts, has been doing risk assessments and writing security plans for her practice for the past five years. ONC’s security risk assessment tool has been invaluable, she notes. Since 2012, she has been assisted by Roland Stulsky, the group’s chief information officer.
Some groups that do their own risk assessments, however, fail to grasp the full extent of the threat to their information systems. Internist Edward Gold, MD, chief operating officer of Old Hook Medical Associates, a 70-doctor group in Emerson, New Jersey, recalls that a local hospital recently was subjected to a ransomware attack after an employee opened a malware attachment to a phishing email. Gold says he doubts that this will happen to his practice, because he believes the criminals are going after bigger fish.
Kim disagrees. “We’ve had small providers who’ve been affected, but not everyone has heard of it or been afflicted by it. That awareness needs to rise.”
Security is always a work in progress. Harrington’s annual security plan updates, for example, explain what the practice has done to improve its security and what remains to be done. The security risk assessments, she says, help her measure that progress.
“It’s not going to come out perfect, but you do need to know what work needs to be done, and it helps you to prioritize and start on the work, and every year chip away at what needs to be done,” she says.
Citing the ever-changing nature of the threat, Stulsky says a security risk assessment “is an ongoing situation” that constantly requires new tactics to counter potential attacks. For example, Emerald is now using intrusion protection software that would immediately alert the practice if its firewall were breached or if an unauthorized person tried to log on to the network.
No matter how intensive the security procedures are, Gold believes that determined hackers can find ways to circumvent them. “Security is one of the biggest challenges facing physician practices,” he observes. “You can do everything right-everything you could possibly do-and somebody will hack your system somewhere along the way.”
The HIMSS and ONC tools provide a good starting point for practices to get a grip on security risk assessments, Kim says. The HIMSS Risk Assessment Toolkit, she points out, is mainly a compliance guide. While it lacks technical details, it does give practices a big-picture look at how they’re protecting and maintaining the integrity of patient information.
ONC’s Security Risk Assessment Tool features a step-by-step guide on how to implement its administrative, technical, and physical security sections, which include 156 questions. Harrington admits the tool is very long and complex: the administrative section alone is 192 pages. But she says she read through it all in about three days.
“Then I went out to the practice sites and followed the tool to the letter. I also wrote a security plan for the practice. Every year for meaningful use, I would update the plan, describing what we had worked on,” she says.
She adds, “The ONC tool was actually valuable, because it gave guidance on what you should be looking at.” As a result, the practice established role-based access to its information system, meaning that employees have access only to the data they need in their daily work.
Practices should make sure that the security controls in their EHR software are turned on, the experts point out, but they should not rely on these controls alone for security. In a 2015 survey, HIMSS found that most groups still depended on old security technology such as firewalls and antivirus software, Kim notes. These measures won’t necessarily stop hackers, regardless of what vendor sales people may tell physicians, she emphasizes.
Gibson agrees. This is why practices need to do “technical vulnerability assessments to help determine the functionality and effectiveness of the security controls,” he says. He recommends also that practices encrypt all their data, including data on workstation computers, laptops, and backup tapes.
Small practices could do some encryption work on their own, Gibson says. For example, they could use BitLocker for certain versions of Windows, and they could enable encryption within an EHR and within backup software. But some aspects of encryption-such as recovery procedures if a desktop or laptop won’t boot and testing encrypted backups- would require internal expertise or assistance from a consultant, he says.
Some practices believe that their system is secure if it is not directly connected to the Internet. But virtually every practice has some Internet connectivity, if only to send its claims to clearinghouses or to request referral authorizations online. “If the staff can access the EHR and also access the Internet, there are risks that need to be mitigated,” Gibson notes.
An EHR with robust security features can block attacks from sites known to originate viruses, and practices can install spam filters to segregate some dangerous emails. In addition, the groups we interviewed all block their employees’ access to some websites.
Security risk assessments address many other areas, including how data is governed, who has access to it, and how those individuals are authenticated.
The governance structure is crucial, because it determines who is in charge of security. At Emerald Physicians, for instance, only Harrington and Stulsky can make changes in the system’s settings.
Both Emerald and Old Hook use role-based access to limit the access of individuals to the system. This is important not only for privacy-Old Hook’s employee records, for example, can be viewed only by management-but to prevent a hacker from viewing or stealing all of the group’s data.
Most groups still use only a log-on and a password for user authentication. Two-factor authentication using biometric devices, tokens, smart cards, and other factors has not caught on widely.
Emerald and Old Hook use security mechanisms such as complex passwords, timeouts, automatic lockouts, and regular password resets.
No matter what a practice does to limit access and fend off intruders, its efforts will not be effective if staff members fall for phishing attacks or if hackers obtain their passwords. Encryption is useless, Gibson points out, if somebody leaves a Post-it note containing their password attached to their computer.
It is essential to train physicians and employees in security procedures. Emerald’s security training includes pamphlets and a video, Harrington says. The video, which features PowerPoint slides and a voiceover by an employee, uses examples from the practice. “It’s effective because it’s pertinent and it covers all parts of security,” she says.
Some cyber-attacks are inside jobs, so practices should do background checks on potential employees, Kim advises. All of the groups cited in this article do that. Old Hook even hires private detectives in some cases, Gold says.
From a security standpoint, Kim says, it would be best if a practice did not allow remote access to its network. However, she admits, doctors may need to connect to the office network from home or from other work locations. In that case, they should use secure connections such as virtual private networks (VPNs), she says.
Old Hook not only uses VPNs for remote access, but for connecting personal iPads to the network when physicians use them at work, Gold says. Escondido, California-based Graybill Medical Group, a 70-doctor practice, uses a VPN and a secure portal to protect its system from any malware that may lurk on home computers, notes Troy Stokes, director of IT for SmartCare MD Practice Management, which manages Graybill.
The use of mobile devices, including iPads and smartphones, has become increasingly common in clinical care, and they should be included in a security risk assessment, Kim emphasizes. The assessment should ask whether there’s a “bring your own device” policy in place, and when it was last updated. It should also ask what applications are being used on each device and whether it can access the EHR, Gibson says.
Most practices don’t allow patient data to be stored on mobile devices. But clinicians in some groups have figured out how to download data onto their devices or using portable media such as thumb drives.
Kim and Gibson stress the importance of placing mobile device management software on all devices. These apps can remotely wipe data if a device is lost or stolen.
Graybill purchases and encrypts laptops for physicians to use at work, Stokes says. If they want to access corporate email on their smartphones (iPads are not supported), they have to sign a document that explains the group’s policy, which includes encryption of Android phones and the use of PINs with iPhones.
HIPAA requires practices to sign business associate agreements with all outside parties with which they share protected health information (PHI). These agreements obligate the business associates to safeguard the PHI. Covered entities do not have to evaluate the security procedures of their business associates, Gibson says. But he recommends that the security practices of business associates be part of the risk assessment.
“The business associate has that responsibility without the covered entity verifying it,” he says. “But it really needs to be part of the security risk assessment to at least ask how they protect the information that’s being shared with them.”
Physical security, a basic part of any risk assessment, includes access to a practice’s servers, workstations and mobile devices. It may be as simple as making sure that an office’s back door and windows are locked. In addition, notes Emerald CIO Roland Stulsky, servers should be in an area that only authorized people can access. Security cameras and alarms may be installed in that area.
The security risk assessment should look at how a practice backs up its data and how it prepares for natural disasters, power outages, and other unforeseen events. Practices should also have a disaster recovery plan that allows them to restore as much of their data as possible.
Among other steps, the practice should evaluate what kind of backup is being done and how often, Gibson notes. The frequency and timing of backups can determine the amount of data loss in case of a natural disaster or ransomware attack. For example, if a practice does its backup every evening, and disaster strikes late the following afternoon, all of the data entered earlier in the day may be lost.
Gibson stresses the importance of encrypting backups. “The backup includes all of the PHI in your environment, and if that’s lost or stolen, that’s worse than a missing or stolen laptop that contains a few records,” he points out.
Graybill backs up its data both onsite and offsite. The onsite backup is refreshed every night, while data is backed up at the disaster recovery site every 15 minutes. As a result, Stokes says, not much data would be lost if the system crashed late in the day and was swiftly restored. To guard against cyber-attacks, the group segments its system so that the malware, if detected early, can’t spread to the EHR or to the backup server.
Practices must also create a security incident response protocol, Gibson notes. Such a plan would enable IT and practice managers to take a calm, methodical approach to analyzing an incident and estimating its potential impact on the practice and its patients. For example, the plan might specify that the practice’s IT staff should determine whether a lost or stolen laptop has PHI on it, whether the laptop is encrypted, and if so, whether the incident has to be reported to the U.S. Department of Health and Human Services.
Harrington is glad her practice has an incident response plan. “If you use the [ONC] tool, you have everything ready to roll,” she says. “So if some terrible event happened, and you’d have to go through the process of reporting it, all your letters are prepared. You just need to fill in the blanks.”