How mature are healthcare risk management programs?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/06/26/how-mature-are-healthcare-risk-management-programs/

It’s no secret by now that how healthcare organizations create their risk
management programs and manage their business associates(BAs) can have a
big impact on their data breach preparedness. But how are organizations
doing in terms of risk management these days? HealthITSecurity.com spoke
with intelligence and risk management firm Stroz Friedberg’s Security
Science Vice Presidents Dave Dalva and George McBride to learn more about
healthcare client trends and current concentrations.

Dalva said that, from a high level, clients across a variety of industries
struggle with implementing a mature information security risk management
program while performing their everyday tasks. Some cross-industry clients
are proactive and others are reactive, but in healthcare HIPAA audits are
starting to raise awareness within the sector. McBride concurred, adding
that acquisitions also make compliance more difficult for providers.

"… those audits really changed a lot of the healthcare companies’
perspectives and really said, “Hey, this is real.  This is not just a
regulation. This is something that I need to be compliant with and need to
be proactive in.” [And] in healthcare I tend to see a little bit more on
the acquisition side and I know a lot of the healthcare companies really
struggle as they acquire companies small or large, fully compliant or
having a less mature program, as they bring those companies on board,
struggling to quickly get them aligned and compliant."

Both Dalva and McBride agreed that the HIPAA foundation is pretty strong
for providers when building their security and risk management programs,
but sometimes the problem of sufficiency arises. “A lot of organizations or
some organizations tend to think that compliance is sufficient, so once
they’ve achieved that level of compliance they can start to focus on other
efforts,” McBride said. “But compliance doesn’t always equal security.”

The concept of HIPAA compliance being “good enough” can present major
issues for an organization dealing with today’s latest external threats.
> From a risk management process perspective, Dalva said that compliance is
only one input to a risk management process.

"[Risk management] includes lots of other things, like preview the risk,
understanding business priorities and goals, looking to see how well you’re
implementing, how well the operational environment is implementing the
goals of the organization, and that the ability to adapt to changes to the
business and changes to the threat environment, which George alluded to, is
all key."

Business associate effects

Another part of any healthcare provider’s risk management program these
days should be BA relationships and assessments. McBride said that he had
previously seen more of a relaxed, hands-off approach to BA management, but
now Stroz Friedberg is starting to see is a lot more due diligence from the
covered entity looking at the actual business associate agreement (BAA)
itself. This includes going on-site, doing assessments, doing audits,
looking for that third party assessment. “Making that statement that
compliance doesn’t always equal security, taking it to the next level and
starting to look at your business associates,” McBride said.

Dalva added that he think ultimately where things break down on the value
chain is less important than the fact that there was a breach.

"If your company is somewhere along that value chain, whether you’re a
covered entity, or whether you’re a business associate, it doesn’t really
matter. If you don’t have the executive buy-in, if security becomes an IT
problem, then you have issues, right? But if security is a problem, then
you get a lot more proactive approaches to it."

McBride said providers must look for the data within the organization as
part of a risk management program, and specifically understand why the data
life cycle is important.

"You need to know what assets you need to protect, but truly understanding
where what data they have within their organization, be it in the data
warehouse or individual silos is something that organizations, time after
time, miss because they think they’ve got it all and then there’s another
fork in the road where data splits off or there’s some other source that
they weren’t aware of."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!