step by step guide to healthcare it security risk management - redspin information security

Ensuring security, privacy, and compliance while creating

value with healthcare IT

A step by step approach

White Paper

6450 Via Real, Suite 3Carpinteria,CA 93013800-721-9177805-684-6858 www.redspin.com

Ensuring security, privacy, and compliance while creating value with healthcare ITA step by step approach to meeting security, privacy, and compliance goals through a focus on value creation.

Spiraling costs and a lack of global competitive-ness are often cited as major problems with the U.S. healthcare system. Information technology can be a significant part of the solution to these problems. In fact, industry leaders and the gov-ernment sector have begun to focus resources, management attention, and funding towards IT investments. Yet historically, IT has been viewed as a cost center rather than as an investment. As an element of that cost center, spending on IT security, privacy, and compliance has been typi-cally budgeted at the minimum level necessary to meet regulatory requirements. A new perspective is required, where investing in IT is understood to create value by increasing competiveness, lowering costs, and increasing the quality of patient care. IT thus becomes a large part of the solution to the problems facing the healthcare industry.

This paper examines a general process for manag-ing healthcare IT investments and specifically out-lines a step by step approach to meeting security, privacy, and compliance goals through a focus on value creation and risk management. Information security programs in the healthcare sector have of-ten been driven by reactive approaches and ad hoc compliance oriented processes. These approaches view “success” as avoiding security incidents and passing compliance audits with the minimum amount of investment. We will examine why this approach is unsustainable and show how it be-lies widely-accepted risk management principles. Instead, we will offer a results-oriented alterna-tive that ensures security, compliance, and privacy programs that support the overall healthcare IT mission of creating value and meeting business objectives.

From electronic health record adoption to clinical workflow automation, healthcare increasingly runs on information. Yet, healthcare has traditionally lagged other industry segments in terms of IT spending. As a percent of revenue, IT spending represents just over 5% for the healthcare industry segment versus 11% for financial services (For-rester Research). More importantly IT spending in healthcare has not been aligned with achieving objectives. Given the rising demands for overall transformation of the healthcare industry and the competitive pressures on U.S. provider organiza-tions, healthcare urgently needs the improvements IT can enable. Information security must play a central role in this transformation both in terms of ensuring patient trust through proper use of their data and protecting the business from threats rang-ing from cyber crime to brand damage associated with data breaches.

Value Oriented, Performance Driven Fortunately, this transition to value-oriented, per-formance driven healthcare is underway in several leading providers such as Kaiser Permanente, Part-ners Healthcare System and Geisinger. A common denominator among these companies is that IT and the information security program are viewed as creating value rather than cost centers. From a process perspective these leaders have also devel-oped similar methods for aligning IT investments with value to the business. This involves defining a set of observable, quantifiable operational metrics. Broad categories include benefits to patient safety, quality of care, staff productivity, employee satis-faction, revenue enhancement, and cost optimiza-tion. In this manner IT investments are evaluated in terms of how well they help the organization meet business objectives. Another critical common factor in these organizations is a system of risk management for continuously optimizing security, privacy, and compliance initiatives. Throughout the rest of this paper we will discuss the step by step

Page 1 l www.redspin.com

Organizing For Performance (Figure 1)

The objective of the information risk management program is to minimize risk to information that is critical to the business while enabling business goals. The primary interactions in this area are with the line of business, finance, and legal teams. The security team must codify the net results in terms of policy that will drive operational as well as quality and performance management decisions. Information security management is owned by the security team but interacts and primarily leverages operations, IT, and HR. Information generated at this point contributes to the overall picture of situational awareness that guides both the business and the information risk management program. The security relevant aspects of quality and perfor-mance management for the business are owned by the security team but must work with the audit, de-velopment, and QA teams. This function generates the reporting metrics (e.g. compliance to internal policies and regulatory requirements) that drive decisions for the business and the security team as well as contributing to the overall situational awareness picture. The overall output of this cycle is not simply to protect information but to allow better decisions to be made that drive the business forward.

process of deploying a successful information risk management program.

The major steps associated with a successful infor-mation risk management program are as follows:

1. Organizing for performance

2. Assessing risk

3. Decision analysis

4. Policy implementation

5. Measuring program effectiveness

6. Repeat steps 2-5, adjust the organization defined in step 1 to evolving business requirements

The first step in the process involves organizing for performance. There are two critical compo-nents for success. The first component is execu-tive sponsorship. Executive sponsorship is not a passive role. The executive sponsor is typically the CIO or CISO and is responsible for funding, authority, and support of the information risk management program. This role also serves as the final escalation point to define acceptable risk to the business. The second critical component for success is integration of the information risk management program with the rest of the orga-nization. A program that does not leverage other functional units will have difficultly aligning with business goals and ultimately fail.

A successful organizational structure for carrying out the step by step information risk management plan outlined above is shown in Figure 1.


PHI/PII Risk Indication (Figure 2)

Developing a broader view of risk to the business allows the information risk management team to avoid acting narrowly. For example, rather than a siloed effort to develop policies and implement controls to comply with the HITECH Act, a pro-gram can be put in place that addresses the unified regulatory requirements associated with PHI/PII data.

Now let’s examine each of the steps to carry out the information risk management program. The continuous nature of this process is illustrated in Figure 3.

Risk Management Process (Figure 3)

With this organization in place the information risk management program can be set in motion. Before describing the process in detail it is useful to consider alternative approaches. With pressure to meet the more stringent regulatory requirements imposed by the HITECH act, urgent deadlines to meet meaningful use requirements, and the need to react to day to day incidents, it is easy for a program to become derailed. Let’s consider the re-quirements required to comply with the HITECH act. Organizations must do the following:

• Implement a data classification policy that describes the processes used to identify, classify, store, secure, and monitor access to PHI data.

• Implement a process to detect a potential data breach and carry out an incident response plan.

• Implement a notification process to inform affected parties after a discovery of a breach of security to PHI without unrea-sonable delay.

• Implement policies, processes, and procedures for security awareness and training.

• Encrypt PHI data – at rest and in transit.

Immediately launching an effort to address these requirements is tempting, but fraught with peril. Many HIPAA security programs focused on creat-ing policies and procedures as a starting point. Frequently, there was a disconnection between policies and actual technical and procedural safe-guards. Further, there is not a clear understanding of the broader risk picture and integration with the business context. A more informed view is shown in Figure 2.


Step 1. Assess RiskThe first step in the process involves identification and prioritization of risks to the business.

a. Plan data gathering. Identify key success factors and preparation guidance.

b. Gather risk data. Outline the data collection process and analysis.

c. Prioritize risks. Use qualitative and quantitative risk analysis to drive prioritization.

Step 2. Decision AnalysisThe second step covers the processes for evaluat-ing requirements, understanding possible solutions, selecting controls, estimating costs, and choosing the most effective mitigation strategy.

a. Define functional requirements to mitigate risks.

b. Outline possible control solutions. Keep in mind that these include not only technical controls but people-driven processes (e.g., separa- tion of duties) and service level agreements.

c. Estimate risk reduction. Understand the probability of risks and the impact of reduced exposure.

d. Estimate solution cost. Reflect direct and indirect costs associated with mitigation solutions.

e. Choose mitigation strategy. Complete a cost- benefit analysis to identify the most effective mitigation solution.

Step 3. Policy ImplementationThe third step addresses policy implementation and the acquisition and deployment of controls to carry out the policy.

a. Ensure that policy specifications are enforce- able.

b. Apply a comprehensive approach that inte- grates process automation, people, and technology in the mitigation solution.

c. Focus on defense in depth by coordinating application, system, data, and network controls to meet business objectives.

d. Communicate policies and control responsibili- ties throughout the organization.

Step 4. Measure EffectivenessThe fourth step consists of developing and dis-seminating reports as well as providing managment a dashboard to understand program effectiveness.

a. Develop and continuously update a manage ment dashboard that summarizes the organization’s risk profile.

b. Report on changes under consideration and summarize changes that are underway.

c. Communicate the effectiveness of the control solutions in mitigating risk.

d. Report on the existing environment in terms of threats, vulnerabilities and risk profile.

Key Success FactorsAs noted earlier a major element contributing to the success of an information risk manage-ment program is involvement of functional units throughout the organization. The information risk management team needs to take responsibility for educating the organization on the process and de-veloping the thorough understanding of risk that will allow the business to take specific action when managing it.


An effective method to get this process underway is to view risk across four simple categories. This provides a straightforward way to clarify trad-eoffs and make decisions. These categories can be thought of as the four A’s:

Availability: This means keeping the systems run-ning. IT needs to communicate regularly to execu-tive staff on the availability risk to major business processes and ensure there is a business continuity plan in case of failure.

Access: This is defined as ensuring access to systems and data. IT is responsible for provid-ing the right people with the access they need and ensuring that sensitive information is not misused. The IT organization must regularly discuss risks associated with data loss, privacy violations, and inappropriate use.

Accuracy: This means providing complete, timely and correct information that meets the require-ments of customers, suppliers, regulators and management. Compliance with HIPAA/HITECH and Sarbanes-Oxley are common sources of ac-curacy risk for enterprises in the United States. IT should review with management the sources of accuracy risk (and risk mitigation programs) such as the inability to get an accurate, consistent view of patient records or clinical workflow effective-ness.

Agility: This is defined as the ability to make the necessary business changes with appropriate cost and speed. A specific example of agil-ity risk would be the delay or cancellation of a merger because of the risk of integrating IT systems. The IT organization needs to dis-cuss these risks so that management can make informed decisions and not hedge their bets be-cause they don’t believe IT can deliver on time.

Another area to look at is consistent usage of risk severity levels and the associated actions. At Redspin we use five levels:

• Critical - Corrective measures are required immediately.

• High - Strong need for corrective measures. An action plan must be put in place as soon as possible.

• Medium - Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.

• Low - Management must determine whether corrective actions are required, or decide to ac- cept the risk.

• Informational - The issue does not indicate a material policy violation but is something for management to consider for enhancing the overall security posture. Drive these definitions into risk mitigation pro-grams, policy specifications and controls.

Next, everyone in the organization needs a clear and consistent definition of risk. In this context, risk is the probability of a vulnerability being ex-ploited in the current environment, leading to a degree of loss of confidentiality, integrity or avail-ability of an asset. The diagram shown in Figure 4 illustrates the relationships of each element of risk.

Component of Risk (Figure 4)


To illustrate the usage of a risk statement in prac-tice let’s look at an example focusing on risk to PHI data.

The assets (what you are trying to protect is PHI)

• You need to know where it is, how it is used, and how it is transported over the network.

The threats (what are you afraid of happening)

• Sophisticated cybercriminals stealing account credentials, credit card records, or medical history to file false claims.

• Hackers using application attacks to gain access to database records.

• Insiders gathering inappropriate data through misconfigured access control.

The vulnerabilities (how could the threat occur)

• Targeted social engineering attacks; malware exploiting Adobe .pdf and MS office .doc vulnerabilities • Application vulnerabilities (e.g., SQL injection, command injection)

• Misconfigured database access controls

Current mitigation (what is currently reducing the risk)

• Staff

• Technology

• Processes Another key success factor is development of an effective methodology for risk assessment. There are many different approaches but most are quali-tative or quantitative methods or a combination of the two. A quantitative approach allows risk to be expressed with financial values and thus resonates

strongly with management. However, such a pro-cess is resource intensive and thus more expensive so broad based coverage is challenging. Therefore, focusing on high impact areas with quantitative methods and driving coverage with qualitative approaches tends to produce the best results.

A final consideration in terms of key success factors is the timing for repeating the process. Each cycle starts with a new risk assessment. The frequency will vary from organization to organiza-tion. Many companies find that annual recurren-ceis sufficient so long as the information security team is proactively monitoring for new threats, vulnerabilities, and assets.

In summary, you can expect investment in an information risk management program to bring important business benefits. Some of these include the following:

• Risk reduction allows deployment of new business processes that were not previously possible.

• Confidence in brand protection can result in new revenue generating programs.

• Trust in service availability means that existing programs can generate more revenue and more profitably.

• Confidence in risk mitigation efforts ranging from technical controls to effective service level agreements decrease program launch time.

• Clear guidance on security requirements associated with new business unit projects accelerates time to revenue.


How Redspin Can HelpRedspin has invested heavily in the healthcare in-dustry segment for several years and has built deep understanding of security, privacy, and compliance issues. Specific service offerings include:

• HIPAA security risk assessment• HIE security assessment• Infrastructure assessment• Application security assessment

Given our healthcare domain expertise and experi-ence with security assessments, we can serve as an effective partner in getting your information risk management program started or optimizing an existing program.

About RedspinRedspin delivers the highest quality information security assessments through technical expertise, business acumen, and objectivity. Redspin cus-tomers include leading companies in healthcare, financial services, media/entertainment, retail, and technology. Some of the largest communica-tions providers and commercial banks rely upon Redspin to provide an effective managerial, op-erational and technical solution tailored to their business context, allowing them to reduce risk, maintain compliance, and increase the value of their business unit and IT portfolios.

Page 7 l www.redspin.com © 2010 Redspin, Inc. All rights reserved.