Why a HIPAA Security Analysis Is Not EnoughCISO David Loewy Offers Tips for Conducting Comprehensive Security Self-Assessments
Although HIPAA requires healthcare organizations to conduct a periodic security risk analysis focused on systems containing protected health information, larger entities should also perform much more comprehensive security self-assessments, advises CISO David Loewy.
"If you combine the two, you can kill two birds with one stone, and the outcome is certainly usable for the entire continuum," says Loewy, who oversees security at the State University of New York Downstate Medical Center in Brooklyn.
An internal security self-assessment looks beyond PHI to encompass other types of data, he says in an interview with Information Security Media Group. "Here at SUNY Downstate [Medical Center] we have an educational arm and a research arm ... which don't necessarily touch PHI. Nevertheless, if there are breaches, in terms of folks breaking into our systems, it could be relatively devastating to our operation. Which is why [with] security we have to look at the entire gamut. PHI is just a subset of a security self-assessment."
Those involved in conducting a comprehensive security self-assessment should include staff members with audit experience as well as those with expertise in technology, security and controls, he suggests.
Security risk analysis models, including those from the Centers for Medicare and Medicaid Services and the National Institutes for Standards and Technology, are useful because they "provide the basic guidelines and parameters for these assessments," he notes.
"You don't have to reinvent the wheel, but you have to be able to ask the correct questions and understand the answers - and when you ask for specific proof, understand ... if the proof [offered] suffices."
It Takes a Village
Loewy says that when the New York healthcare organization conducts security self-assessments, "it's very important that our entire community understands that we are coming out, and we are going to be conducting an assessment - but we are not the bad guys," he says.
"We're working with the folks that we are assessing to fix any abnormalities, anomalies - any gaps we have, so that when CMS or other [external regulatory] auditors come in to do a formal assessment, we know the gaps, we have them fixed ... and the [external] assessors will hopefully find much fewer gaps and anomalies within our systems."
In this interview (see audio link below photo), Loewy also discusses:
- The reasons why so many healthcare organizations have such a difficult time conducting a security risk analysis;
- SUNY Downtown Medical Centers' top security priorities for 2017;
- His experience working on developing the HIPAA regulations.
Loewy is information security officer at SUNY Downstate Medical Center, an academic medical center for health education, research and patient care serving Brooklyn. Previously, he was president of Healthcare Informatica Corp., a consulting firm.