What Do InfoSec Auditors Look For?Risk Mitigation Documentation Stressed Yet Again
To prepare for any type of information security audit - whether by federal or state examiners - it's critical for healthcare organizations to be ready to demonstrate how they are assessing, prioritizing and mitigating risks. That's a lesson yet again reinforced by a recent state audit of Roswell Park Cancer Institute in New York.
A random information security review of the 133-bed state-owned hospital in Buffalo by the New York comptroller's office found that while the hospital had taken key steps to safeguard electronic protected health information, it still needed to make some key improvements, including how it documents risks and mitigation steps.
"It seems obvious that organizations should identify risks and then mitigate them, and document the mitigation. But it appears that some organizations still don't have a good grasp of information security practices," says Kate Borten, founder of security and privacy consulting firm The Marblehead Group. "In fact, it can be argued that performing a risk assessment and then doing nothing about those risks could be worse - perhaps falling into the willful negligence category of civil penalties - than not doing a risk assessment at all.
"Remember that a risk assessment is a first step. If a risk is significant, develop an action plan to correct or mitigate it, and thoroughly document the project and results."
In addition to states' auditing programs, the Department of Health and Human Service' Office for Civil Rights expects to roll out in the coming months the next phase of its HIPAA compliance audits. Meanwhile, HHS' Centers for Medicare and Medicaid Services is conducting audits related to the HITECH Act meaningful use program for electronic health records.
Roswell Park Audit
A July 6 report issued by the New York state's comptroller's office indicates that Roswell Park Cancer Institute was audited to determine whether it was "properly safeguarding its ePHI and whether it has protection policies in place and a plan to make mandatory notifications when ePHI is lost or stolen."
More than 4,000 individuals have access to the hospital's electronic health record system, which was put into place in 2006 to replace paper patient records, the report notes.
The cancer center has established "a highly developed information security program to protect the ePHI it creates, receives, maintains, or transmits," the report says. However, an area where the cancer center faltered was related to documenting risk priorities and mitigation.
The report's main recommendations to Roswell Park include:
- Taking steps to resolve risk items that have remained open over multiple annual internal risk assessments;
- Implementing reporting mechanisms to support risk mitigation priorities, including decisions to defer or not address specific risks;
- Continuing efforts to strengthen physical and technical security over the systems that receive, store, process, transmit, and maintain ePHI;
- Implementing the recommendations detailed during the audit for strengthening technical safeguards over ePHI.
State auditors found that the institute's internal December 2014 HIPAA security risk assessment contained a number of risk items, including some considered high risk, that have remained open for more than one year. However, the report notes that the institute responded that it had addressed several of those risks but had not documented its efforts. The institute says it is working to fix other identified risks.
Roswell Park Cancer Institute did not immediately respond to ISMG's request for comment on the audit report. However, in its response to the audit included in the report, the cancer hospital noted that it was implementing all the auditors' recommendations.
Documentation Is Key
Other healthcare entities that have undergone various government audits also stress the importance of providing documentation related to the thoroughness of security risk assessments.
"You can't skimp on the risk assessment. That's the first and foremost item that they look for," says Mitch Parker, CISO of Temple University Health System in Philadelphia, which recently had one of its four hospitals audited for HITECH Act "meaningful use" compliance. "And it can't be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours." Since Temple's recent audit, Parker has expanded the organization risk assessments to include 423 questions, and it's now making them universal throughout the healthcare system, the CISO says.
Federal regulators have also been emphasizing the importance of thorough and timely security risk assessments, and especially documenting findings and mitigation of risks identified in the risk analysis.
"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," said Jocelyn Samuels, director of the Department of Health and Human Services' Office for Civil Rights, earlier this year. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."
Besides worrying about various federal security related audits, certain healthcare entities need to have their risk assessments and other details of their security programs buttoned down in case they are audited by state examiners, as demonstrated by the review of Roswell Park by New York's state comptroller.
John Buyce, audit director in the New York state comptroller's office, explains to Information Security Media Group that various state agencies and state-operated facilities in New York are periodically chosen for random information security audits by state IT auditors.
While there is no formal New York state program to audit all state-operated healthcare facilities, the next healthcare entities to be audited could potentially be other academic medical centers that are part of the state university system, he says. Roswell Park is affiliated with the State University of New York at Buffalo.
In examining the information security programs of state healthcare entities, "we take HIPAA into consideration, but also other federal standards and best practices," he says.
For instance, when examining any state entity or agency's information security, "we look at protections that are in place, such as whether patches were applied; access controls; what sort of password practices are followed; who has access to systems," he says. Also examined are equipment such as routers, and whether ports are left open, he says.