The HITECH Act, in particular the meaningful use incentive program for physicians and hospitals, has placed the computer security risk analysis in the spotlight. Meaningful use requires a risk analysis, also called a risk assessment, as per the HIPAA Security rules in 45 CFR 164.308(a)(1). Multiple methodologies are published, and the federal government has provided a spreadsheet template for gathering information and presenting the risk analysis. The problem is – how do you fill it out? All of these methodologies require that you estimate the probability, or likelihood, of different bad events. What is the probability of a hacking attack, losing a laptop, or a hard disk crash? Without accurate information, the risk analysis is worthless.
On the other hand, a “thorough and accurate” risk analysis delivers value to organizations because it helps them spend their limited IT security budget wisely. Eagle Consulting uses the following information sources and analyses to quantify probabilities:
Healthcare specific research. Some of the best information comes from healthcare specific surveys. Available research includes surveys of mid to large healthcare privacy officers that reveal frequency of detected incidents, government databases detailing the specifics of reported breaches, and publications of privacy advocacy organizations who collect news reports of privacy breaches.
Presence or absence of best practices. Numerous best practices exist for network design, technical safeguards, backup and recovery, physical security, employee training, and a wide variety of other measures. The presence or absence of these best practices directly affects the probability of problems occurring.
Computing and Support Model. Different computing and support models involve different risk profiles. For example, cloud computing and in-house systems, in-house IT vs. outsourced, use of mobile devices vs. desktop computers, virtualization vs. non-virtualization, all bring different risk and benefit profiles.
Organization Size and Workflow. Large and Small organizations have different risk profiles. Large organizations are a more visible target but have more sophistication and small organizations are the reverse with low visibility but little sophistication. Small medical practices, for example, are at greater risk for disasters like total loss of data due to faulty backup because they are less likely to be vigilant with this essential safeguard.
Industry relationships. Medical software authors and resellers with large customer bases share with Eagle statistical information regarding their service activities that reveal the percentages of health care providers who experience data loss from software malfunction, faulty or incomplete backups, technician errors and hardware failure.
Computer Security Industry Research. Major computer security vendors utilize their vast customer base to gather statistical information and regularly publish research reports. These reports include the volume of threat activity (phishing attacks, spam, malicious software, penetration attempts), the prevalence of vulnerabilities (unpatched software, open ports, misconfigured software) and analyses of specific hacking methodologies.
Crime reports. The FBI, police departments in large municipalities, and other government sources compile and publish cybercrime statistics including the prevalence of online fraud, identity theft, online bank theft, computer theft, extortion and other cybercrimes.
Insurance industry sources. Several insurers offer cyber-threat protection to healthcare organizations. The underwriting departments are tasked with determining risk. Through relationships with agents, Eagle has learned the typical insurance rates for healthcare organizations. These rates are a direct function of their best analysis of the probability of loss, plus a profit for them. So, these rates are helpful in setting an upper limit of the probability.
Subjective Assessment. Subjective analysis is used to determine the likelihood that an outside actor will find value in an organization’s information. Factors such as the specialty of the organization (e.g. plastic surgery vs. family medicine), the public visibility of the entity, and the clientele of the organization affect risk. The higher the value to an outsider, the higher the risk.
Eagle Consulting uses all of this information, holistically, to determine the probabilities for the myriad of negative outcomes. There is no simple formula available. Accurate and relevant information helps management make decisions. Hospital IT staff and medical practice administrators can fill in the blanks in a risk analysis template, but this exercise will often generate a document that is of zero value in that it provides no guidance or help to management. Consequently, a “thorough and accurate” risk analysis, one which delivers value, is usually a task best contracted to a specialist.
