A few weeks ago, as part of an interview launching The Atrómitos Way Podcast, my colleague, Liz Church, asked an excellent question: What is the most important piece of advice I would give an organization regarding cybersecurity risk management? My first response was simple (perhaps too simple): Just do it. Yes, your organization needs a cybersecurity risk management plan that ensures that you have the mechanisms, processes, and controls necessary to ensure you are (1) compliant with regulatory and contractual requirements and (2) protecting your organization from reasonably foreseeable risk of loss and mitigating the impact of any loss. Yes, that plan needs to be routinely revisited and updated to ensure the adequacy of those controls and their alignment with a rapidly evolving universe of cyber threats and system vulnerabilities. Yes, you need to contemplate the “worst case” scenarios (your information system is captured in a ransomware attack and wholly inaccessible while sensitive, protected information is exfiltrated) and to develop plans not only to protect against the threat but also to ensure continued operations of essential functions. So, yes, Just do it, because one of the most common mistakes made by organizational leaders is to defer or delay conducting a full accounting of their information security operations, assets, and risks.
The instinct to defer or delay is understandable: cybersecurity can be a daunting prospect, a subject area that is outside of a leader’s personal area of expertise or agency (or immediate budget priorities). Also, not many people enjoy looking under rocks for creepy crawlies. But it is (really) important. And because it is important, I want to make it easier for you to tackle. I think that can be accomplished by starting at the beginning and breaking down exactly what a Security Risk Assessment is, why it is important, and the steps associated with completing the assessment. After walking through this overview of the Security Risk Assessment and its processes, we will introduce an important resource for HIPAA Security Rule compliance – which can guide and inform your assessment process – the Security Resource tool created by the Office of Civil Rights.
Starting with Why
I will give you three quick, good reasons for why it is important that any organization (but particularly healthcare providers and their business associates) should conduct regular, comprehensive security risk assessments and integrate and implement mitigation plans.
First, if you are a healthcare provider (or other covered entity under HIPAA) or a Business Associate, HIPAA’s security rule requires an annual security risk assessment. Failure to conduct a comprehensive organizational risk assessment that inventories assets, vulnerabilities, and threats and provides a realistic plan to mitigate identified risks is also often a determining factor for the Office of Civil Rights (the agency charged with enforcement of HIPAA), in determining whether to pursue punitive action (as opposed to technical assistance) or is cited as an aggravating factor to justify the increased fines or conditions in an enforcement action. A comprehensive security risk analysis, including evaluating the adequacy (and regularity) of the risk assessment process, is one of the foundational components of HIPAA compliance.
Second, cybersecurity management and contingency planning is an operational necessity. Our world is digital, and any organization’s reputation and continued operations depend upon the integrity, availability, and confidentiality of its own data and the data under its control and stewardship.
Finally, the risks presented by cyberattacks, data breaches, and ransomware are real and growing – and evolving fast. Healthcare organizations remain a prime target, with an estimated rate of attack of 60% in 2023, nearly double the rate reported in 2021 (34%). Attacks are increasing in frequency, sophistication, and impact. Our individual (and collective) defense maturity and operational resiliency must also evolve at pace.
Understanding the Process of the Security Risk Assessment
So, having underscored the whys and wherefores of the necessity of a security risk assessment – we turn to the process of the Security Risk Assessment (and the real heart of this article). This can be summarized as “what happens when, by whom, and what is the output.” The Security Risk Assessment Process (like any risk management process) essentially boils down to five procedural steps, listed below.
1. | Define the Scope of the Assessment | This means clearly defining the purpose of the assessment (to identify and mitigate risks to the confidentiality, integrity, and availability of all e-PHI) and the scope of what will be evaluated. As part of HIPAA’s Security Rule – that means all systems, platforms, facilities, and formats where e-PHI is stored, accessed, or transmitted. |
2. | Collect Data | The primary data source for your risk assessment is going to be an Asset Inventory. This identifies all IT resources utilized by an organization, including all hardware, software, and devices with sensors, processing ability, or other ability to connect and exchange data with other devices over the internet and other communication networks. It would be hard to overstate the importance of a comprehensive Asset Inventory (and that includes the management process that ensures that an organization’s Asset inventory is up-to-date, complete, and accurate). Other essential data sources include: a. An overview of the organization’s controls (the processes, tactics, and safeguards designed to prevent, detect, or mitigate a security risk). b. Identification of vulnerabilities (flaws or weaknesses in an asset’s design, use or management that could be exploited to create a risk of loss) and threats (events, conditions, or actors that could exploit a vulnerability and create the potential for loss) |
3. | Assess Data | Asses Data in order to a. Identify, validate, or update reasonably foreseeable vulnerabilities and threats b. Evaluate the adequacy of existing controls to protect against the risk of loss based on the identified vulnerabilities and threats. c. Determine the risk presented to the organization based on the identified vulnerabilities and threats. “Risk” is (a little) subjective but is best understood as calculating the likelihood and severity of a potential loss to an organization. d. Determine the level of risk for each threat and vulnerability combination and prioritize areas of risk for mitigation. |
4. | Develop a Comprehensive Risk Mitigation Plan | In addition to detailing the strategies, controls, and safeguards that the organization will use to prevent, deter, detect, and mitigate the risk of loss, the Risk Mitigation Plan should also comprehensively document the process, conclusions, and actions taken during the risk assessment process. |
5. | Implement the Plan | Do the things. Document the doing of the things. Regularly follow up to ensure implementation remains on track and to evaluate impact and effectiveness. Iterate. |
The next question is who should be involved in completing the Security Risk Assessment. This process is usually led by a single individual, for covered entities and their business associates, this is the Security Officer (a required position under HIPAA), which, for ease of reference. But that individual will probably need the assistance of various other team members in order to collect the necessary information to complete the analysis and to develop actionable and appropriate mitigation plans. In addition to organizational leadership, this may include compliance team members, Human Resources, Vendors, and other subject matter experts. Human error (weak or compromised passwords, responding to phishing campaigns) remains the predominant cause of most cyberattacks – so it is important that cybersecurity awareness and training are integrated across the organization. Conversely, the perspective of team members from other areas of operations can provide important insight into the operational feasibility of proposed interventions (or what kind of support and messaging is necessary in order to ensure effective adoption and adherence).
Getting Down to Details: The OCR Security Risk Assessment
So that is the overall process of a security risk assessment, but the devil is always in the details. It is easy enough to say, “Identify and assess security vulnerabilities, threats, and risks” – it is another thing to do.
The Office of Civil Rights (OCR), the agency responsible for enforcing HIPAA, recognizes the challenge presented to small to medium-sized organizations that lack the resources of larger enterprises. To that end, several years ago, OCR and the Office of the National Coordinator for Health Information Technology (ONC) created an interactive Security Risk Assessment Tool specifically tailored to HIPAA compliance for these organizations. The Tool is available free of charge and can be completed online or downloaded to an Excel spreadsheet. The Tool is also entirely self-contained, meaning even if it is “completed online,” the data entered is only stored on the user’s computer and is never sent to OCR or any other entity. OCR and ONC have created multiple user guides and training resources on the Tool and its software. The Tool itself is broken into seven domains, evaluating an organization’s:
- Security Risk Assessment and management processes (e.g., how regularly the assessment is conducted and by whom; how regularly it is updated and how it is documented and communicated)
- Policies, Procedures, and Other Documentation
- Workforce Management (concerning ePHI access and workforce training)
- Data Management and Technical Security Procedures
- Physical Security Procedures
- Vendors (BAA and Vendor Access) and
- Contingency Planning (e.g., Backups and Data Recovery Plans)
Earlier this year, OCR and ONC released an updated SRA Tool. In updating the tool, the agencies focused on usability and remediation. Improving the accessibility and intuitiveness of the SRA Tool has been a focus for some time now – but the steps taken to encourage organizations to plan and track remediation within the tool reflects the expectation (and, frankly, operational necessity) that a Security Risk Assessment and its resulting Plan, be a “living document” – and one that is revisited routinely as part of standard operations.
The Updated Tool includes:
- The ability to generate and manage a remediation report. With this functionality, users are able to track responses to vulnerabilities within the tool and to log remediation.
- Integration of 2023 Health Industry Cybersecurity Practices (HICP), an annually updated publication by the Department of Health and Human Services outlining the top threats facing the sector and the recommended practices to mitigate those risks. Integration of the HCIP helps to disseminate best practices across the industry and facilitates users’ reference of those practices in remediation actions.
- Addition of a Tooltips section, improving usability and ability to navigate the site.
What this Means
In an ever-evolving cybersecurity landscape, conducting Security Risk Assessments is not just a regulatory or contractual obligation. It’s imperative to strategically safeguard your organization’s data and ensure operational continuity. The availability and security of your organization’s data is a “business critical” function – and an ounce of prevention (consistently applied and reinforced) can be worth many pounds of cure. This is particularly critical for HIPAA compliance for healthcare providers and their business associates (and the latter is a rapidly expanding community), as OCR increasingly focuses on enforcement of cybersecurity, the Security Rule, and fostering effective information security practices.
My hope is that this brief run-through of the Security Risk Assessment process helps to make the process a little less daunting or feel like a black box of unknowables. There are a lot of resources available to help even the smallest of organizations to better understand and manage their cybersecurity risk profile and information security practices.
So really, Just Do it.