By Carl Kunkleman, senior vice president and co-founder, ClearDATA.
Working in the world of healthcare security and compliance, I find one of the biggest dangers organizations face is having a false sense of security that their PHI is adequately protected. I’ve done hundreds of security risk assessments, and I have yet to find one single organization that did not have a security gap they were unaware they had in one or more of their administrative, technical or physical safeguards.
Add to this, the complicated current state of healthcare battling COVID-19, and we are likely to see administrative systems that have gaps in off-boarding or off-boarding employees, technical infrastructures that didn’t have time or resources for patch management, and physical scenarios in makeshift triage units with compromised physical safeguards that simply cannot be addressed in the current haste to stop the spread of the virus.
Sadly, this sense of chaos creates the ideal conditions for the hackers of the world looking to infiltrate via phishing, malware and ransomware and more. Once this spread is arrested and we all get a moment to catch our breath and assess business practices, a good move would be to conduct a security risk assessment known as an SRA. Your internal teams and resources are stressed, overworked and possibly burned out and an SRA can identify security gaps that will inevitably arise and present an actionable plan to remediate. This will help reduce risks while protecting your organization’s finances and reputation while we all find out what “getting back to normal” will mean.
Right now, we are all doing everything we can. And the Department of Health and Human Services recognized that with their decision last week to waive penalties for providers that are serving patients through everyday communications technologies during the COVID-19 public health emergency. A security risk assessment this summer will help you put the compliance health of your organization back in order. In addition to the HIPAA requirement that you have an SRA on file annually, it helps unite your team in a strategic path forward by articulating what your highest and lowest risks are, before a hacker uncovers them.
Because an SRA covers administrative, technical and security safeguards, your entire organization will benefit from the process. I continue to find organizations who think their PHI is protected because they have password protected their computers and mobile devices. Our penetration testing has revealed that passwords are relatively easy to defeat. We continue to find gaps in encryption, patch management and even with PHI inventories. If you don’t know where all of your PHI resides, how can you protect it?