Case Study: Focus on Risk, Not Compliance

Credit EligibleAs a HealthcareInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

When it comes to keeping healthcare information private and secure, hospitals that focus primarily on regulatory compliance are making a huge mistake, says Sharon Finney, corporate data security officer for the 37-hospital Adventist Health System.

"A risk management approach allows hospitals to highly focus the resources they have available to the most critical areas," she stresses. "If you look at security purely from a compliance-based approach, you may be missing a huge area of technical or administrative risk within your environment."

In carrying out Adventist's risk-based approach, Finney has learned several lessons, including:

• Risk assessments must be conducted for each environment, including hospitals, clinics and data centers, because each faces different threats.


• Data loss prevention, or DLP, is growing in importance as providers share more data with more organizations.


• Encryption is essential for mobile devices and e-mail. Adventist is investigating whether to encrypt all workstations and databases.


• When it comes to two-factor authentication, physicians and nurses want to be able to choose from several options.

She urges hospitals scrambling to comply with the HITECH Act's security provisions or to qualify for federal electronic health records incentives to keep the big picture of risk assessment in mind, rather than honing in solely on compliance.

Assessing Risk

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Finney, who joined Winter Park, Fla.-based Adventist two years ago, is shifting from annual to biennial in-depth risk assessments. That way, each hospital can complete administrative and technical risk assessments, conduct vulnerability scans and set goals one year and then carefully measure progress toward those goals the next year.

"The process of getting policy changes and technologies rolled out is time-consuming and must be done in a very methodical manner," Finney says. "So doing a full-blown risk assessment annually was just not providing maximum value for us."

In assessing risk, it's important to conduct studies for every business unit, based on its specific functions, she says. "What is a risk at a physician office may not be a risk at a data center," she points out.

The risk-based approach "is based on how they actually use the data, how they function as a business unit, and what their workflows are," she adds. That yields a much more effective strategy than if the focus was on an "arbitrary standard applied to all" and focused more on regulatory compliance, she contends.

Finney offers the example of compliance with the HITECH Act's breach notification rule, which requires hospitals and physicians to notify federal regulators of major breaches. By conducting a risk assessment, which led to, for example, encrypting of data on laptops, "that helped us to be well-positioned to prohibit us from having to notify regulators of a breach," she says.

In addition, Adventist conducts audits to make sure its encryption policies are actually carried out.

Adventist also has implemented a formalized process for assessing any breach that may occur from both a technology as well as an administrative perspective to help determine steps to take to avoid similar incidents.

Adventist hired Cynergistek, Austin, Texas, to help conduct some targeted risk assessments for certain units, augmenting Finney's staff. Cynergistek also helped Adventist implement data loss prevention technology.

The role of DLP

Based on its risk assessments, Adventist is making broad use of DLP from Code-Green Networks Sunnyvale, Calif., to help keep its e-mail secure. The DLP software monitors all network packets for e-mails being transmitted outside the organization to determine whether they contain sensitive patient health information.

For example, if an e-mail containing patient information reaches the network perimeter, the DLP system automatically sends it to a secure e-mail system instead, notifying the recipient that they have a secure message waiting at a portal.

The DLP system also can identify viruses and stop outgoing traffic until the issue is resolved.

Encryption

In addition to using DLP to automatically trigger secure e-mail, Adventist staff members can initiate a secure, encrypted e-mail by simply clicking the "mark secure" button within Microsoft Outlook to select the secure e-mail option.

The organization encrypts data on all mobile devices, such as laptops, that store patient information, as well as thumb drives. It also encrypts data on certain PCs that store substantial quantities of patient information. "We will be reviewing whether to encrypt all workstations," Finney says.