Industry Insights with Jon Moore

Governance & Risk Management , Healthcare , Healthcare Information Exchange (HIE)

Embracing Precision for Enhanced Security

Reconsidering the One-Size-Fits-All Healthcare Risk Analysis
Embracing Precision for Enhanced Security

For over a decade, the HIPAA Security Rule has required covered entities and business associates to engage in risk analysis and management. This mandate serves the critical purpose of safeguarding patient safety and ensuring the confidentiality, integrity and availability of electronic protected health information or ePHI. But recent surges in data breaches within the healthcare sector, accompanied by their extensive repercussions, have reduced the effectiveness of some traditional risk analysis methodologies.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

The Drawbacks of the One-Size-Fits-All Approach

Many organizations have favored the one-size-fits-all approach to risk analysis for its relatively cheap price, simplicity, reduced level of information gathering and easy-to-understand executive scorecard. But more and more organizations that have adopted this approach now recognize that it presents a fundamental flaw when applied to the intricate landscape of healthcare data security. The approach treats all systems, applications and components within an organization as equals, failing to acknowledge their inherent disparities in complexity, criticality and susceptibility to cyberthreats.

The one-size-fits-all approach is typically characterized by a program maturity assessment based on the NIST Cybersecurity Framework, perhaps a vulnerability scan, and physical walk-throughs. This approach applies a level of abstraction that assumes that a single asset category encapsulates the multifaceted nature of healthcare systems. For example, this approach will typically look at how the organization manages servers generally but does not recognize or inquire about differences between groups of servers and their management.

While this approach provides a general sense of program maturity and theoretical risk, it does not deliver the precision or actionable insights that healthcare organizations need to manage risk effectively in the current threat environment. While it may provide an overview of security measures, it obscures the most important details.

The one-size-fits-all approach's penchant for generalization extends to its assessment of vulnerabilities. By assessing components superficially, the method may overlook vulnerabilities that cybercriminals can exploit. Whether an unpatched software component or an unprotected database, these seemingly minor vulnerabilities could lead to a significant breach, resulting in compromised patient data and subsequent legal and financial consequences.

Redefining Risk Analysis: The Information Asset-Based Approach

Amid the limitations of the one-size-fits-all approach, a more intricate and dynamic solution emerged: the information asset-based approach. While this approach might be perceived as a novel concept for some, it's important to note that hundreds of healthcare organizations have effectively used it for over a decade.

Precision is paramount in a landscape where the smallest gap can lead to catastrophic breaches. The information asset-based approach excels in pinpointing vulnerabilities that might be overlooked under a one-size-fits-all strategy. The approach identifies vulnerabilities specific to each component group through meticulous assessment, offering a granular view that arms healthcare organizations with the knowledge needed to bolster their defenses.

Aligning With HIPAA and Enhancing Cyber Resilience

The information asset-based approach addresses the inadequacies of the one-size-fits-all method and aligns seamlessly with HIPAA's stringent expectations for robust risk analysis. OCR's Guidance on Risk Analysis Requirements under the HIPAA Security Rule underscores the required comprehensive scope of risk assessment, encompassing all electronic media forms, from individual workstations to complex networks. At a minimum, it requires that organizations document their inventory of systems and associated component groups used to create, receive, maintain or transmit ePHI.

The information asset-based approach harmonizes with these expectations, for it does more than merely scratch the surface. It dives deep into each component group's specific controls and risks. By adopting this approach, healthcare organizations can propel themselves toward true cyber resilience, fortified by insights that empower them to thwart potential cyberthreats effectively.

The significance of adopting a refined approach to risk analysis cannot be overstated. As healthcare continues to embrace technological advancements, security measures must evolve in parallel. By embracing precision over uniformity, healthcare organizations forge a path toward enhanced security, fortified defenses and the preservation of patient safety and trust. The journey toward true cyber resilience begins with recognizing that one-size-fits-all no longer fits the bill. It's time to embrace an approach that reflects the intricate tapestry of healthcare's data security landscape.

About the Author

Jon Moore

Jon Moore

Chief Risk Officer and SVP Consulting Services, Clearwater

Jon Moore is an experienced professional with a background in privacy and security law, technology and healthcare. As Chief Risk Officer and Senior Vice President of Consulting Services at Clearwater, Jon works with healthcare leaders to safeguard their patients' health, health information, corporate capital and earnings through the creation and development of strong, proactive privacy and information security programs. Together with his colleagues at Clearwater, Jon provides the strategic advice, services, training and tools needed for a complete Cybersecurity, Risk Management, and HIPAA Compliance solution.

During an eight-year tenure with PricewaterhouseCoopers (PwC), Jon served in multiple roles. He was a leader of the Federal Healthcare Practice, Federal Practice IT Operational Leader, and a member of the Federal Practice’s Operational Leadership Team. Among the major federal clients supported by Moore and his team were the National Institute of Standards and Technology (NIST), National Institutes of Health (NIH), Indian Health Service (IHS), Department of Health and Human Services (HHS), U.S. Nuclear Regulatory Commission (NRC), Environmental Protection Agency (EPA), and Administration for Children and Families (ACF).

Jon holds a BA in Economics from Haverford College, a law degree from Penn State University’s Dickinson Law, and an MS in Electronic Commerce from Carnegie Mellon’s School of Computer Science and Tepper School of Business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.