Guest post by Lysa Myers, security researcher, ESET.
Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.
How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.
How to do an EHR risk assessment
There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.
- Identify Assets:
The first step in any risk assessment is to identify and document the EHR assets in your organization, anything that is used to input, store or transmit ePHI: e.g. patient names, addresses, Social Security numbers, email addresses, fingerprints or photographic images.
Remember that ePHI could end up in a places you might not initially consider: Patients names and email or physical addresses are likely to be in appointment information, but their Social Security numbers might also be in billing and insurance records.
The most likely places for ePHI to be stored include laptops, hard drives, backups, cloud services, mobile devices, smart cards and other portable media. But don’t forget mobile devices including phones and tablets, web applications, and non-Windows systems such as medical devices, Internet routers, printers and scanners.
When identifying transmission methods, consider all sources and destinations of information, including doctors, nurses, patients, insurance providers, backup services and cloud providers. These transmissions could take place via email, text message, instant message or the web, or by Health Information Exchange, fax or network shares.
You can start identifying this information by looking at current and past projects, as well as at existing policies/procedures. It is also incredibly useful to consult IT and other staff, as they may be using methods that are not documented. If you’re an office of one with all your information on a tablet, this step may go quite quickly. If you’re assessing a larger organization, this will necessarily be more complex and full of potential surprises.
This is where a rolling risk assessment is particularly helpful: As your assets and methods of transmission change over time, it’s a good idea to note these in your documentation, so you don’t have to restart this identification process from scratch each time you revisit the assessment process.
- Identify risks and vulnerabilities:
Once you’ve identified your assets, you can begin identifying the risks and threats for those assets. It’s important to consider not just cybercrime problems, but also any other human-made, natural or environmental troubles that could befall your systems. That includes the possibility of disgruntled employees, power outages and weather-related damage, such as earthquakes or major storms. Don’t dismiss any possible calamity at this stage, no matter how far-fetched it seems. Like the identification of assets, this step needs regular updating as known vulnerabilities change frequently.
- Assess relative likelihood and impact of threats/vulnerabilities:
Once you’ve got all those disastrous scenarios listed, it’s time to create a matrix that ranks them in terms of severity of impact and likelihood of occurrence. Some problems are minor, but likely to occur, others are more severe but unlikely. You will find it helpful to get multiple perspectives on the relative probability of threats materializing so consider outside help at this stage.
Once you have documented all of the above, you need to review the measures you already have in place to help avoid, mitigate or transfer risk. Examples are: anti-malware protection, encryption, firewalls and two-factor authentication. Are you missing any of these? What about cybersecurity insurance and employee education? Any gaps should be documented and then addressed, balancing the usability, cost, effectiveness of the countermeasure and the value of the informational asset being protected.
But don’t stop there. The business environment, the threat and vulnerability landscape and defensive technologies are all constantly changing. Risk assessment should be an iterative process that is ongoing indefinitely, rather than something you do once and put on a shelf.
SMB Risk Assessment tool: http://www.healthit.gov/providers-professionals/security-risk-assessment
Risk Assessment Frameworks: http://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment