Security Risk Analysis: The Challenges Community (and Small) Hospitals Face in Protecting PHI

NOW Interview with Carl Kunkleman

Conducting a security risk analysis is a requirement of the HIPAA security rule. Expanded under the HITECH Act of 2009, and modified by the 2013 Omnibus Rule, a security risk analysis is also a core requirement for Meaningful Use under the EHR Incentive Program, as well as for MIPS. Surprisingly, the process of conducting a SRA is still a challenge for many providers and healthcare organizations, made more complicated by the rise of cyber security threats.

I had an opportunity to talk with Carl Kunkleman, the co-founder and senior vice president of ClearDATA, specifically about why small and community hospitals struggle with conducing a security risk analysis. Here is part I of the interview.

Let’s start with a high-level question: what exactly is involved in a security risk analysis or SRA?

Carl: An SRA is a specific CFR or Code of Federal Regulation. And actually, for your readers and listeners, if they looked up or Googled 45 CFR 164.308 (a)(1), they’d find it. It’s also called the HIPAA Security Rule. The SRA is a review involving three big buckets: administrative, physical and technical safeguards. Now, if you look at these three buckets there are about 50 regulations within those buckets. And so, in a risk analysis, here’s what they’re really looking for:

  • Are your policies sufficient to be effective?
  • Are your procedures currently operational?
  • Do they meet HIPAA standards?
  • And then again, are they reasonable for your size organization?

The rule talks about what’s reasonable for your size organization which is really key to risk analysis for small and community hospitals. I’ve done hundreds of them and it really is about what’s reasonable for what they’re doing in their environment in terms of meeting these requirements. As a side, we actually added a fourth safeguard to our risk analysis; we call it the organizational safeguards. And those are really around BAAs or Business Associate Agreements. If you go to the Health and Human Services “wall of shame,” you’ll see that about 20% of all data breaches in PHI occur through a business associate. So, we’ve added that into our risk analysis just to make sure that that’s covered for the hospitals. And then, the biggest piece I’ve always found, Carol, is around what they call their PHI inventory.

That’s an interesting point. Can you elaborate?

Carl: You know, hospitals, have quite a PHI inventory that’s kind of where PHI lives. We actually have it as a foundational step to our risk analysis. The idea behind this is if you don’t know where your PHI lives then how do you know you’re safeguarding it if you don’t know where it lives, right? Very good question. (Yet) most people don’t know the answer. So, as a foundational step whether we’re doing it or someone else is doing it, they should always make sure that they’ve got that PHI inventory first and then match up those safeguards against those policies and procedures to make sure that they’re covered.

Why do community and small hospitals specifically have a challenge in protecting patient data, more so than larger hospitals?

The real challenge is around these smaller community hospitals. Number one, when we do the risk analysis, we find that they’ve got this aged, and in some cases, archaic hardware. I had a hospital where they had eight servers that were so old that they couldn’t even get support contracts. The other big thing for community and small hospitals is that they’re still using old software and they’re no longer updated, like Microsoft XP or old SQL versions. I’ve done hundreds of these. Sometimes it’s just best to say, instead of a complete re-do in the data center let’s just look at PHI data going into the Cloud. It’s much safer. It also turns a capital expense into an operational expense. So, your finance people will support it. Most importantly, it is really a better place for protecting that patient data especially in community-based hospitals where if you lose that data it’s not some obscure person; it’s your neighbor. It’s your business owner. It’s your local banker.

The other big thing I see are IT departments that are stretched too thin. These IT people are good but they just have too many hats on. I’ve seen folks with two people trying to run a data center and their desktop support. They’re just so busy with those day-to-day issues that the hospital just can’t keep up with the technology.

I think the final thing with small hospitals, in particular, you gotta remember that HIPAA compliance is a team sport. It’s not just IT. IT is just one-third of the safeguard. Every department must be involved in protecting PHI. It’s really from the front-desk person making sure people are signed in to HR making sure that they’re onboarding and properly offboarding employees, making sure that background checks are conducted for roles that require it. It also involves your materials management or people who deal with vendors making sure that they’ve got the right Business Associate Agreements, that’s really about protecting the liability for your hospital. It’s a heavy lift for these small community hospitals and their IT staff. But they do the best they can.

There are a lot of these do-it-yourself HIPAA software packages out there. Could those be an avenue for these teams or is that not appropriate for these hospitals?

Carl: There are lots of software programs out there where you can do it yourself. I’ve had a lot of hospitals and clinics call me about this all the time. A real catch is that they buy these software packages and they begin to answer these questions and then realize they’re answering yes to every question and they know they don’t have these things right. They call me and they go, “The problem is, I don’t understand the context behind the question.” And they shouldn’t. They’re taking care of patients. They don’t do this for a living.

And frankly, they just don’t have 40 hours to sit down and do the work right. That’s a lot of work. It takes us a long time. It’s gonna take them even longer. So, what I always tell people when they call me and I’ve actually had people send me theirs and they’ve got eight pages of yes, yes, yes. I ask two or three questions and nothing is right. I always say, “Look, as a baseline SRA it’s best to have someone who does it professionally. Have ClearDATA or anyone that does this for a living do the very first SRA for you at least as a baseline. That way, you’ve got an accurate baseline.” As an example, after we do the first SRA we give our clients a complete HIPAA scorecard. Basically, we give you document that shows in the left-hand column every statute or regulation that’s required. The next column shows what it means in generic terms. And then the third column is really what it means and what is reasonable in terms of your size organization. And then, we give them our analysis of what they’re doing. The reason that’s a good baseline is in years two and three and beyond they can use that scorecard and their previous information to update it themselves. But, that first one you do be sure to have a professional company do it for you.

So, what are some of the most often-seen PHI risks you and your team see out there as you complete these SRAs for hospitals?

Carl: Good question! Remember, there are really three kinds of safeguards: administrative, physical and technical safeguards. It’s actually one of the reasons we started ClearDATA. We were doing risk analysis, this was seven or eight years ago, and once we finished our risk analysis and gave the final presentation to the C-Suite of this small hospital they said, “Hey, this is great work. We recognize these issues. We’ve gotta fix this. But, we don’t have the time nor the talent nor any resources to go do this.” That’s when we recognized there’s a market out here. People, especially in small community-based hospitals, these QA (quality assurance departments) really don’t have these resources. Can we bring that to bear? And so, that’s kind of how we started ClearDATA.

In terms of the technical safeguards, I would say the biggest one is really encryption of your data in use, in transit and at rest. HIPAA will require you to have your data encrypted at use and in transit but at rest, you don’t have to have your data encrypted. But, if you don’t have it encrypted you’ve got to have the safeguards around that data to protect it. Here’s my argument to my customers. I say, “Look, I agree that encrypting your data at rest is not a requirement by HIPAA because people do try to steal your data in transit.  BUT, the real professional bad guys, Carol, the Guccifers of the world, they want where that data lives. Big buckets of data. It all lives at rest. Encryption software is really inexpensive. I always say just do it.

The second big safeguards is around back-ups. HIPAA requires exact duplicates of all your records. So, I always tell people, “Let’s take a look at what your policy and procedure says in terms of how often you’re going to back-up and then are you really doing it?” At the minimum, you should really be doing daily differentials of your back-ups and weekly full back-ups to bare metal. And, they need to be kept off site and encrypted. Plus, if you’re doing daily differentials and you’re hit with ransomware, you may not need to pay that fee to get your data back. You only have lost one day. And, in a very small hospital that may not be a lot. I’ve actually had, you know, a large ophthalmology groups call me and they have locations that have been hit by ransomware. It’s a very real issue and that back-up really helps.

The next one is DR or disaster recovery. You’d be amazed at how little time people spend on disaster recovery. You know, if you go to the mid-section of our country where they see tornadoes all the time, they really have it squared away. But, if you go to the east or west coast where you’ve got earthquakes, brown-outs and hurricanes, you would think they are really squared away. They surprise me. I actually went to a hospital in Louisiana who had been impacted by hurricane Katrina and they had not updated their DR plan since 2007.

The last couple of things are patch management and auto logs. Oh, my gosh, I bet 20% of our SRA customers don’t have auto logs turned on, which is crazy, right? From a HIPAA perspective in the event of a data breach that’s critical because you’re gonna pay ClearDATA or someone else to do the forensics behind that breach for your attorney. So, if you don’t have auto logs turned on, it’s gonna be really tough. If you have it turned on we can find the path, where they went and what they touched. If you don’t have auto logs turned on its gonna cost a lot more money and we’re gonna have to figure it out. The real key around HIPAA is that if a breach affects less than 500 patients it’s not considered a reportable breach so you can adjudicate it yourself. But, if it’s more than 500 patients, you have to report that breach to the OCR. Well, if you don’t know how many patients were affected, you have to then default to all patients were affected. For a small hospital, that could be three, four, five thousand. And, imagine a hospital with all the budgetary restraints and now I’ve gotta send letters and buy identity theft insurance for 3,000+ people in my community. All the ugliness that goes with it for something as easy as, you know, turning on auto logs.To that end, the big one right there is really around patch management. Are you patching your systems regularly? And, Carol, I don’t mean annually. I’m talking every 90 days. Patches usually come out, all IT guys know this, where you’re patching your systems to make sure they’re buttoned-up. Here at ClearDATA, if you’re in our Cloud we do all that work for you. We know the big buckets and we are going to make sure that our clients are protected.

Administratively, the big issue here is really around their policies and procedures. They just don’t have them in place. And, if you have a loss of data and you have to go in front of the OCR they’re going to want to see your policy. First of all, how did you lose PHI? Where did you fail to protect PHI? What’s your policy? What’s your procedure and are you following it? Well, if you don’t have a policy and procedure, you’re not following that policy. There isn’t one to follow. This was such a big deal that we actually created about a year and a half ago a complete master document of all the policies and procedures you need as a hospital to protect PHI that require HIPAA compliance. Physically, you know, these are big deals too but this is pretty easy. So, in terms of a data center, it’s not just user access but it’s also the physical location itself. You know, I’ve been in data centers where they have a water-based sprinkler system. That’s crazy, right? To have water, but the truth is the hospital was there in 1995, they decided to create a data center wherever it was, they gave them a room, and that room happened to have a sprinkler system. So, that’s really important. Another big one I see is around workstation security. You know, if you’re using laptops, you know that PHI is on them, but are they encrypted? And, by the way, if they’re stolen can you wipe the hard drive out? That’s the real key. Those are the big ones I see. And, if you got those, you’re probably squared away.

I gotta tell you I’ve done a lot of risk analyses and I’ve never seen anybody, including some of the best systems in the country, that we haven’t been able to identify risk. And again, Carol, these are all good people. They’re trying to do good work. The truth is there are some really bad guys out there just sitting there trying to get in every day. You gotta be one step ahead of them.

Learn more about Carl Kunkleman and ClearDATA at: www.ClearDATA.com.