With the advent of the Meaningful Use program, including the current Stage 2 requirements, healthcare organizations across the country have instituted the annual risk analysis, or risk assessment. When Eagle Consulting Partners conducts a risk analysis, we always seek to build upon work that has already been completed. This involves reviewing one or more risk analysis previously completed, often by other vendors or by internal personnel. After reviewing a wide variety of these documents, often by major vendors, we have identified a range of flaws or other shortcomings. These include:
- Failure to quantify impact of security failures. Very often the risk analysis poorly quantifies the impact of security failures. One of the principal objectives of computer security is the confidentiality of data. The worst-case failure would be compromise of an entire major system, such as an electronic record or billing system. Decision makers such as CIOs, CFOs, CEOs and board trustees need to understand the financial impact of such a failure in order to properly allocate scarce funds. The risk analysis will answer questions, such as, what would the possible consequences be if we don’t invest $10,000 in an intrusion detection system? The risk analysis should quantify the impact of a worst-case data breach in terms of both out-of-pocket dollars and intangible costs, such as reputation damage.
- Failure to address the full scope of HIPAA Security. Often, particularly with technology companies who perform risk analyses, we see a lot of emphasis on confidentiality. The risk analysis identifies technical vulnerabilities that would allow penetration into the network and prioritizes steps for corrective action. Yet they fail to look the other two principal objectives of computer security: information system availability and data integrity. So, for example, the risk analysis will completely omit any investigation of controls to insure system availability, such as data recovery capability and contingency planning.
- Myopic focus on internal systems. With the growing popularity of cloud applications, organizations are increasingly outsourcing all or portions of their operations. Take for an example an outpatient medical organization who relies on a cloud-based electronic record/practice management system. A risk analysis should explore risks both to confidentiality from vendor failure as well as downtime risks, explore existing controls, and recommend mitigations such as stronger contractual protections, vendor audits and insurance.
- Focus on Compliance vs. Security. Many “risk analyses” are really HIPAA compliance studies. These studies use as their outline the approximately 42 HIPAA Security Implementation Specifications and explore the organization’s compliance with these with these requirements. The problem with this approach is that some of the most important controls for security are not explicit HIPAA requirements. For example, the word “firewall” never appears in the HIPAA regulations, and consequently these studies fail to appropriately explore even the most basic security controls. For more information on the difference between compliance and security, see our post Compliance is Not Security and Top 20 Security Controls Updated.
The takeaway here is that conducting a useful and comprehensive risk analysis is not an easy job. If it were easy, we wouldn’t see all of these mistakes. When selecting a vendor, ask about the process that they use, the skill and experience of the personnel who will conduct the study, the format of deliverables and reports that they provide, and of course, check references.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
