There’s an ever-increasing number of threats to healthcare information. Healthcare information is more valuable and visible than ever; and, at the same time, more vulnerable than ever. You feel responsible and, as the CISO, you are responsible for its security. Conducting a comprehensive, bona fide risk assessment can be an effective first step in building credibility with the executive team and board and, therefore, in building a business case for cybersecurity investments in your organizations. In addition to conducting the risk assessment, you should:
- Find a sponsor on the executive team to use as a sounding board on risk appetite, sufficiency and understandability of supporting information and recommendations on mitigating risks.
- Build a cross-functional team to help identify and respond to threats and vulnerabilities to include representatives from any function that has access to protected health information (PHI) or is involved in procedures for providing or terminating access to PHI.
- Change the technology language you and your team use from “compliance and information security” to “patient safety and quality of care” – these words will resonate more with CEOs and other functional leaders you’ll want on your side.
In order to get the funds needed to shore up an information security program, CISOs need to develop a comprehensive and compelling business case for doing so. Consider the following steps:
- Conduct a comprehensive, bona fide risk analysis of all assets that create, receive, maintain or transmit ePHI.
Examine all the threats and vulnerabilities to those assets and underlying media, assess the ability of the controls in place to minimize exploitation. Identify the media where the PHI “lives,” for example, laptops, desktops, servers, back-up tapes, flash drives. Detail the threats to that media, for example, environmental threats like hurricanes; structural threats like power outages; accidental threats like errant of misdirected emails; and intentional threats like ransomware attacks. Bona fide, comprehensive risk analysis considers numerous “asset-threat-vulnerability” combinations.
- Rate each risk in terms of the likelihood of a compromise of the confidentiality, integrity or availability of the information.
By using a scale from 1 to 5 (5 being the highest likelihood), you can begin the risk-ranking process. There are a number of data sources that you might use to assess the likelihood of a compromise:
- Threats and Threat Sources
- Data from the Health and Human Services (HHS) website listing all reported breaches of 500 or more records. Examine what threats have exploited what vulnerabilities that may exist in your own environment. As of June 23, 2016, 20 percent of the breaches of 500 records or more reported on the HHS website this year are attributed to hospitals, clinics and health systems. Thirty-seven percent of those breaches were due to hacking or IT incidents: email (6), network server (1), and desktop computers (3).
- Information from other best practice websites and sources regarding emerging threats and vulnerabilities.
- Security or privacy incidents that have been reported in your own organization may identify threats that have not yet been addressed.
- Vulnerabilities—among many potential weaknesses in controls, consider
- Insufficiently documented and enforced policies and procedures
- Lack of practices regarding system back-up, workforce access, updating patching
- Undocumented of untested disaster recovery and business interruption plans
- Limited and ineffective workforce training and security awareness programs
- Controls
- Typically categorized as administrative, physical and technical, control sets can be found in sources such as:
- NIST 800-53
- ISO 27001
- CCS CSC
- Typically categorized as administrative, physical and technical, control sets can be found in sources such as:
- Rate each risk in terms of the impact of a compromise of the confidentiality, integrity or availability of the information. Think of impact in terms of loss or harm.
There are basically two ways you can calculate by impact of a breach:
- Using the annually-updated average cost of a data breach conducted by the Ponemon Institute and sponsored by various companies. In 2016, the study was sponsored by IBM and the average cost of a data breach was determined to be $158 per record. So the impact for a breach would be calculated on the number of records that would be involved in the compromise of each asset. Just to put it in perspective, for the first five months of 2016, the number of breached records per hospital or health system due to hacking or IT incidents on the HHS website totaled 9,572, making the average cost due to hacking or IT incident for each breached organizations $1.5 million. The only problem with this approach is that the calculation does not include all costs that would be incurred because of the difficulty in doing so, such as reputational repercussions, business disruption, or the loss and replacement of an executive leader or other key workforce members.
- Calculating the cost of a breach specifically for your organization. The elements of that exercise are outlined in a free report from the American National Standards Institute (“ANSI”) entitled The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security. This thoughtful calculation will be more persuasive as it will be specific to your organization.
Since no studies have been done on the cost of recovering from ransomware, the bottoms-up calculation could be prepared by considering these factors (details of which may be found in the ANSI report mentioned above):
- Payment of the ransom: this may be the smallest expense to be dealt with, although ransom demands are expected to increase significantly.
- Forensics: this cost can vary depending on the number and types of systems involved and the complexity of the recovery of evidence. IT forensics has provided a range of $100 to $600/hour depending on the services being provided. “Examination and reporting can be completed in less than 20 hours and the total analysis usually totals less than $8,000 for a single hard drive.”
- Mitigation: 72 percent of organizations infected with ransomware required a minimum of two days to restore access to their data and a third required five days or more, according to a study by Intermedia. The time and cost associated with recovery: containing the infected systems, wiping them complete and then restoring them must be included in the impact calculation. Recovery is measured in terms of how much data can an organization afford to lose (i.e. 1 hour or 24 hours) and how long can an organization operate without an asset or group of assets being available before it impacts the bottom line (i.e. 1 hour or 24 hours.)
- Remediation: updated and tested disaster recovery and business interruption plans, back-up procedures, workforce training, business disruption, replacement of leaders held accountable, public relations costs and lost business due to reputational damage.
- Fines and Penalties: Office for Civil Rights (OCR) fines and identity theft services, and possibly lawsuits, following ransomware attacks that include the transfer of information out of the organization’s environment to a command server elsewhere.
- Compare your risk-ranking of your risks to your organization’s risk appetite
Translate your impact calculations for each risk into the scale from 1 to 5 (with 5 being the highest impact). Multiply the likelihood ranking and the impact ranking to produce a risk-ranking of your risks from 1 to 25. Test the waters on your organization’s risk appetite by developing remediation plans for any risks with a score higher than 14, which would include calculation results from a 3*5 or a 4*4.
- Develop and recommend thoughtful remediation plans
Information risk management and thoughtful remediation planning involves risk-rank ordering all the organization’s identified risks, prioritizing this list from the most significant to least significant risks and using the organization’s risk appetite to draw an initial “line in the sand” to identify which risks will be accepted. Then the organization must make decisions about avoiding, mitigating and/or transferring those risks that exceed an organization’s risk appetite.
Only by submitting a compelling business case for doing so can CISOs increase their chances for greater investments in information security.
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management. Chaput is CEO of Clearwater Compliance and has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.