iot health

IoT Evolution Health News

IoT Evolution Health Home

What 500 Security Risk Assessments Reveal About the State of Security in Healthcare

By Special Guest
Carl Kunkleman, SVP and Co-Founder, ClearDATA
August 01, 2018

Healthcare technology leaders everywhere cringed when they heard about the data breach at Community Health Systems (CHS) in August 2014 that affected 4.5 million patients and is expected to cost the system an estimated $100 million. The situation hit closer to home than the widely publicized December 2013 Target Corp. incident that compromised 40 million credit and debit cards and the personal information of nearly 70 million customers. While data breaches are indeed crippling to businesses, they are extra hard on healthcare organizations when considering the vast amount of sensitive information consumers trust them with. Penalties can include millions of dollars in fines, loss of patients, credit monitoring, lost productivity, civil and criminal investigations, and damage to institutional and professional reputations.

The key to avoiding an incident like Target’s or CHS’s is to regularly conduct security risk assessments (or SRAs) which are designed to help protect against data breaches or loss of information. By conducting thorough assessments, healthcare providers and business associates can uncover potential weaknesses in their security policies, processes, and systems, and then remedy them before adverse security events can occur. As healthcare organizations race to digitize more and more of the healthcare ecosystem and even introduce new technologies like IoT, machine learning and advanced analytics to yield greater efficiencies and process improvements, SRAs are even more critical to healthcare innovation than ever. 

Each year at ClearDATA, we take stock of several years’ worth of SRAs with our team of security analysts to identify the most commonly occurring gaps. The process inevitably reminds me of that great early ‘70’s anthem, “We Won’t Get Fooled Again.” Too often we see IT departments at hospitals and healthcare technology companies believe they have the correct policies and procedures in place to assure data security compliance...when, come to find out, they actually don’t.

The most common—and dangerous—misconceptions we find every year include healthcare organizations believing their Protected Health Information (PHI) is safe because they have password-protected their computers and handheld devices. White hat penetration testing has proven that passwords are relatively easy to defeat, and we discover time and time again that organizations have not performed reliable PHI checks of where all of their inventory resides. You cannot protect your information if you do not know where it lives, let alone all the different kinds of devices that have access to the data.

SRAs: An Expanding Mandate for Healthcare Innovation
These existential threats to PHI are well-known to regulators, which is why SRAs have been a longtime HIPAA mandate. But now they are also a mandate to participate in the Merit-based Incentive Payment System (MIPS). Specifically, SRAs are one of the core requirements within the Advancing Care Information performance category in MIPs. Moreover, many commercial and private partnership agreements now include security clauses that mandate regular SRAs.

If this isn’t reason enough to conduct one at your own organization, here are a few more vulnerabilities we routinely uncover in the SRA process:

  • Poor or no staff HIPAA training (staff doesn’t know what they don’t know).
  • Failure to know/follow the 4 factor and 3 exception methodology when there’s a loss of PHI.
  • Lack of an Incident Response checklist in the event of a PHI data loss.
  • Lack of BAA (business associate agreements) to protect the Covered Entity.
  • No regular Patch Management.
  • Legacy systems that are beyond end-of-life; we still see Microsoft XP – which hasn’t been supported for years.

If it’s been a while since your last SRA—or maybe you’ve never conducted one you truly felt confident in—why wait until your organization faces a devastating breach before you perform this mandated security exercise? No need to try and do it yourself; in fact, that’s usually one of the biggest drivers of procrastination. Instead, look for a professional that can perform one for you; preferably one who can be a one-stop shop for various managed security services (including for Amazon Web Services, Google Cloud, Microsoft Azure, etc.).

Whether you go DIY or turn to a pro, just get a thorough and professional SRA done. It’s an essential step to protecting your patient data on your path to healthcare innovation.

About the author: Carl Kunkleman, SVP and Co-Founder, ClearDATA, has nearly three decades of consulting experience in pharmaceuticals, diagnostic equipment, medical software and healthcare professional services. Prior to co-founding ClearDATA, Carl launched U.S. Healthcare Compliance, a best-in-class HIPAA security and privacy services company. ClearDATA acquired his company in 2011.

Edited by Ken Briodagh

Related Articles

Connected Care Rises to a New Level with Connected Devices on the IoMT

By: Special Guest    8/14/2019

The rise of the Internet of Things (IoT) has led to huge innovation within many sectors, with the healthcare sector being one of the largest to take a…

Read More

Telehealth Service Provider Summit Merged into PATH

By: Ken Briodagh    8/12/2019

The leaders of PATH and the Telemedicine and Telehealth Service Provider Summit (SPS) have agreed to have SPS formally incorporated into PATH.

Read More

Innovations in Hearing Aid Technology Prioritize Comfort and Connectivity

By: Special Guest    8/12/2019

Hearing loss is a degenerative condition which can occur as a result of aging, consistent exposure to loud noises and many other factors.

Read More

Taoglas Acquires Firmwave to Enable Next-Generation IoT

By: Ken Briodagh    8/12/2019

Acquisition enables Taoglas to extend advanced IoT design and component solutions to its global customers

Read More

OneCare and Sequans Connect the Carewatch Remote Monitoring, Wearable to the IoT

By: Ken Briodagh    8/2/2019

According to a recent announcement, Sequans Communications and OneCare are partnering to bring health wearables to market using Sequans' Monarch LTE-M…

Read More