The healthcare industry has become one of the most targeted industries for data breaches and other cybersecurity-related incidents. Healthcare information is among the most valuable items on the black market. Even with government healthcare regulations, the industry is constantly playing catch-up to deal with new IT and cybersecurity risks advancing quicker than remediation and prevention can occur. Being aware of the risks is the first step in prompting organizations to take action as soon as possible.
During 2015, an annual evaluation of risk assessments conducted by CHAN Healthcare, a subsidiary of Crowe, uncovered close to 1,000 IT risks across 20 health systems in 36 states. Based on two primary factors in determining healthcare organizations’ risk profiles – strategic and business impact and business environment complexity – the following top IT risk areas have been identified. The majority of these should be on every healthcare organization’s radar, and they are unlikely to disappear anytime soon.
One of the most common concerns in healthcare today, cybersecurity is a broad topic that executive leadership, boards, and audit committees are asking about proactively. They want to know how data is being protected and whether systems are secure enough to withstand unauthorized attempts at retrieving electronic protected health information (ePHI) and other sensitive data. Cybersecurity encompasses most of the risks listed here, but it also stands alone given the increase in incidents within the healthcare industry. Effective cybersecurity can be achieved using multiple layers of controls to prevent or limit computer system security risks. These include but are not limited to user authentication and access controls, data loss prevention programs, network security controls, incident response capabilities, and data encryption.
2. Forensics Incident Management
All healthcare organizations need to have proper planning, technology, and resources available to monitor and manage security incidents that may occur. Data breaches happen almost daily, and organizations must have the ability to react effectively to an incident such as a data breach, a ransomware attack, a service outage, or a virus. Data forensic technology such as e-discovery software used to retrieve, analyze, and produce electronically stored data can help organizations preserve the chain of custody and systematically uncover facts that may not otherwise be identified.
3. Third-Party IT Vendor Oversight
The prevalence of third-party vendors in healthcare has expanded the potential liability of organizations. Entities must verify that vendors comply with their policies and procedures as well as with the applicable industry and legal requirements. Service level agreements (SLAs) should define compliance responsibilities, and organizations should monitor vendor performance. Dealing with overseas vendors to whom data will flow is an added challenge, and healthcare organizations must – at a minimum – confirm that data is encrypted and background checks are completed for vendor employees who will have access to the data.
4. Cloud Computing
Solutions based in cloud computing can help organizations reduce overhead costs, hardware requirements, and system downtime while also increasing speed and potentially improving security. Internal cloud computing technologies may be implemented to achieve these cost savings and efficiencies. Alternatively, many of the operations needed to support an infrastructure and application can be outsourced to a cloud computing vendor. However, governance, oversight of the vendor, and responsibility for the security of data cannot be fully outsourced.
Healthcare organizations should conduct cloud risk assessments associated with data governance requirements at planned intervals and should include a review of where sensitive data is stored and transmitted, compliance with organization data retention and disposal periods, and protection from unauthorized use. Governance activities should use oversight provided by the performance of Statement on Standards for Attestation Engagements (SSAE) 16 or Service Organization Control (SOC) reviews for outsourced cloud service providers. In addition, when protected health information (PHI) will be stored or processed using cloud computing services, business associate agreements must be documented and clearly define responsibilities, requirements, and remedies for failure to deliver against defined SLAs.
5. HIPAA Privacy and Security
The Health Insurance Portability and Accountability Act (HIPAA) continues to be an area of significant risk for healthcare organizations, which must maintain the security of PHI and be ready for Office for Civil Rights audits. To comply with HIPAA requirements, organizations must maintain comprehensive policies and procedures, including privacy, technical, physical, and administrative safeguards. The policies and procedures should be evaluated regularly, updated as necessary, and enforced. Organizations should retain supporting documentation demonstrating adherence to policies, and – more important – they need to achieve HIPAA requirements effectively.
6. Data Loss Prevention
Malicious intent or inadvertent mistakes can cause ePHI and other sensitive data to be disclosed to unauthorized personnel. To help prevent this, organizations must identify, account for, and secure all confidential data stored on workstations, laptops, and other mobile devices. In addition, organizations must establish and implement controls to block these data movements or log and alert potential disclosures or breaches when data exits via an open end point (for example, data downloaded via USB flash drive or external hard drive). These requirements also must apply to ePHI and other confidential data in the possession of contractors and vendors.
7. IT Network Security
Inadequate network security can lead to unauthorized access, theft of patient or sensitive business data, or network outages that prevent access to critical systems and applications. This could cause negative consequences to both staff productivity and patient safety. Organizations must protect their IT networks with security measures including redundancy, firewalls, access restrictions, data logging, and patches.
8. Mobile Devices
Mobile devices that connect to an organization’s network, applications, email, or data must be secured in order to protect ePHI. Organizations should consider mobile device management solutions that enforce identity management, device registration, password protection, and encryption. In addition, if employees are able to access email and other systems on personal devices, mechanisms (e.g., the ability to perform a remote wipe) must be in place to prevent unauthorized access to critical data as well as to deal with the loss of personal devices.
9. IT Application Post Implementation
Healthcare organizations often are susceptible to risks that result from implementing electronic health record (EHR), financial, and other business systems. Although such system implementations frequently have tight deadlines, organizations must establish important controls. In addition, they should perform post-implementation audits to confirm that the implementation was in accordance with management’s intentions regarding issues such as change management, security, user access, encryption, and data backup.
10. Health Information Exchanges
Health information exchanges (HIEs) make patient information electronically available across organizations within a region, community, or hospital system. But along with this convenience come privacy and data security concerns. These risks are compounded when public web-facing interfaces such as patient portals and clinically integrated networks make health record data available to individuals. A common security framework to be used consistently across the organizations that have access to an HIE must be established and tested so that all of the organizations using the exchange have confidence in the data security practices.
11. IT Disaster Recovery and Business Continuity
If systems and data are not available and operational at all times, an organization’s productivity, revenue, and even patient safety could be severely affected. Disaster recovery related to business continuity is not a new concern for healthcare organizations, but it continues to rank high on the list of top risks because of its strategic and business impact. Organizations should perform a business impact analysis (BIA) of all their systems so that they can prioritize critical systems. Based on the results of the BIA, organizations can develop and test business continuity and disaster recovery plans.
12. Payment Card Industry Data Security Standard (PCI DSS)
The credit card industry’s PCI Security Standards Council formulated the PCI DSS, which applies to all entities that store, process, or transmit credit card holder data. Requirements as of Oct. 1, 2015, shift fraud responsibility to organizations if they have not implemented solutions based on EMV (Europay, MasterCard, and Visa) standards. The healthcare industry often overlooks the PCI DSS, which outlines technical and operational system requirements to protect cardholder data. To avoid penalties, healthcare organizations should take an inventory of credit card data, including all points of sale, and determine whether the data’s protection satisfies the standard based on the organizations’ merchant level.
13. Meaningful Use
Centers for Medicare & Medicaid Services (CMS) audit activity related to meaningful use (MU) continues, and healthcare organizations must be adequately prepared to keep the substantial funds tied to satisfying the MU criteria. To reduce the odds of problematic audit findings, organizations should make an internal or external team responsible for gathering and maintaining the necessary documents to comply with the MU attestation requirements. Organizations that take a more informal approach to attestation might overlook vital components, such as security risk analyses, and leave themselves in the unfortunate position of potentially refunding or losing CMS incentive payments.
14. Shadow IT
Applications that are supported locally but outside of the IT department (for example, by a clinical or operational department or respective individuals) are considered “shadow IT” or locally managed and may lack core system access, change management, and backup and recovery controls. For example, it could make sense for a director of neurology to provide most of the IT support for the department’s applications and systems, but the director also must enforce the organization’s corporate IT policies and procedures. To achieve consistency, an organization must keep tabs on which systems are being managed locally and which by “shadow” support and should monitor adherence to regulatory and organizational IT security and privacy requirements.
15. Social Media
Social media promotes easy and open communication; however, identifying, managing, and controlling information that is shared online can be challenging for healthcare organizations. Various departments, including human resources, corporate responsibility, IT security, and legal, should work together to develop policies and controls to prevent ePHI and other sensitive data from being broadcast on social media, both internal and external to the organization, and also via corporate and personal social media accounts.
16. IT as a Service (ITaaS)
While some healthcare organizations are outsourcing the support of their EHRs to vendors, others are becoming service providers and supporting (or hosting) other organizations’ EHR applications. In addition, in some cases IT is acting as a service provider to other healthcare organizations in general areas of IT management, including security operations. ITaaS has been viewed by some organizations as a means of generating revenue to help offset anticipated lost reimbursements that might come with the changing healthcare environment. However, these organizations may not be prepared for all of the responsibilities of and risks to a service provider. IT service providers must implement and be able to provide evidence that they have the controls necessary to provide EHR support and other IT services in a secure and reliable fashion and in accordance with service agreements.
Telemedicine is the use of telecommunication and information technology to provide clinical healthcare remotely. It helps eliminate distance barriers and can improve access to medical services that often would not consistently be available in dispersed rural communities. Remote and virtual connections need to be reliable and secured so that the patient can be cared for without exposing patient information in an unauthorized manner. When using telemedicine technology, security and availability considerations such as data encryption, user authentication, password security, patient verification technologies, protected wireless and local area networks, adequate bandwidth, and data tracking and auditing should be contemplated.
18. Mergers and Acquisitions
With the changing reimbursement models, healthcare organizations are faced with generating revenue in new ways. Acquisitions, joint ventures, or other affiliation types may allow a healthcare organization to improve profitability while achieving its mission. Organizations that are acquired or merged may have IT requirements that differ from those of the parent or mutual organization. This can present more risk exposure and liability, especially when there is no defined timeline for integration and one of the entities lacks desired controls.
19. Business Intelligence and Data Warehousing
Data-based business intelligence (BI) is a set of analytic techniques and tools used to make more informed business decisions. Data analysis can provide incredible value, and BI quickly is becoming an essential tool for most healthcare organizations. With increasing emphasis on managing patient outcomes and overall population health, data management and analysis (clinical or otherwise) becomes more necessary. It’s essential that a healthcare organization maintain and secure a data warehouse where the data is both accurate and reliable. Data interfaces, whereby data transfers from a hospital system to the warehouse, must be equally secure and accurate to minimize associated risks and data discrepancies.
20. Accountable Care Organizations and Clinically Integrated Networks
Most organizations now are involved in accountable care organizations or clinically integrated networks in some way. Risks and complexity continue to multiply as participating organizations share data and may have differing IT and security expectations and requirements. Data security and privacy are critical, and participants should be concerned about issues such as liability for data breaches and the vulnerability of organizations with which they are joining forces. Ideally, consistent security, privacy, and related practices should be agreed upon during due diligence and negotiations.
21. ICD Post Transition
Organizations should have implemented the new International Classification of Diseases (ICD) code sets in October 2015 and now should be monitoring to confirm that providers are using them correctly to record patient care events. In addition, monitoring and remediation methods should be in place to identify and correct issues promptly with the adoption of the new code sets to minimize compliance and revenue issues.
Proactivity Is the Best Approach
IT and cybersecurity risks are fixtures in today’s healthcare risk universe. These are also topics frequently discussed in audit committee and board meetings. The significant increase in cybersecurity incidents in recent years indicates that the healthcare industry is a primary target for hackers. Risks identified in this article represent a relevant snapshot of IT risks in the majority of healthcare organizations. They also can be used as a reference point by those organizations that may not have the resources to conduct a comprehensive IT risk assessment. Taking proactive steps to eliminate, mitigate, or reduce these risks is the best approach to safeguard healthcare organizations; however, at least understanding the risk maturity in these areas is a good start.