In this episode, Clyde Hewitt dives into the history of Cybersecurity Risk Profiles. Beginning with the era of paper-based health records, flowing through the evolution of risk analysis and it’s impact on culture, to how new/more frequent threats are creating bigger impacts that pre-existing risk models don’t necessarily hold up to addressing. Clyde then explains what can be done to counter risk in today’s new reality.
- Download our 30/60/90 day checklist, “Planning for Incident Response During the COVID-19 Crisis: Tales on Tackling the Security Debit.”
- For a full repository of COVID-19 crisis resources, visit our CTEK COVID-19 Communications page for news, articles, podcasts, and more.
- Contact us with any questions regarding the regulatory changes during the COVID-19 crisis.
Hello and welcome to CTEK Voices; The Risk Perspective. I’m Lauren Frickle and am here today with Clyde Hewitt, Executive Advisor at CynergisTek.
Clyde has over 35 years of experience in IT leadership and cybersecurity, and today he will be talking about the evolution of cybersecurity risk profiles and adjusting to the new reality.
Hello, Clyde, thanks for being here. How are you doing?
Thank you, Lauren. I’m doing well.
Today we’re going to talk a little bit about the risk profiles and risk management. For healthcare organizations, the risk analysis and risk management programs are literally the first two requirements that organizations must perform that are listed in the HIPAA Security Rule.
So, this all started back, when the HIPAA rule came out in 1996 and then the draft rules for security came out in 1998, and the final rules are published in 2003. This risk analysis and risk management requirement has been with organizations over 20 years now – if you consider looking back to the NPRM or the notice of proposed rulemaking – and I wanted to take a flashback to look at how risk profiles have changed in the past 20 years for healthcare organizations and as a result of that, how it is impacted the culture in healthcare, and how more recent changes, including things like hacking, and ransomware and even COVID. While it’s not altering the way, you calculate risk. It does alter the culture of how people respond to risk.
So, moving into the flashback, (I mean, everybody, like me probably has a little bit of gray hair). So, we look at, you know, going back into the 2000s and before a lot of organizations, and especially ambulatory, and many of the acute hospitals as well, or paper-based health records. While they may have had electronic financial records, the actual medical record for the patient was kept in a paper file these big thick documents and they had a medical records department and they had a room that turned out to be a large library of these things.
So, what that did is, it had its own, I guess, dependencies, and the first dependency it had was a reliance on coders and transcriptionist. They would have to take these medical records and the audiotapes that the physician would dictate into a system and they would transcribe that into a more usable medical record for the patient financial community.
And when it came time to sharing information between an acute setting for, for example, a hospital out to the patient’s primary care providers, there was predominantly the use of a fax machine for this lateral communication in healthcare. Fax machines were also used to fax orders and get results even within a hospital. So, you may find the nurses on Seven North for example faxing down a phlebotomist request or a lab request to phlebotomists to come to a blood draw, and once that information was taken in and analyzed, then the lab would fax that information back up to the floor. So, these fax machines were predominantly used. Everywhere for both, you know, lateral communication and some vertical communication with outside entities such as providers. But, for the most part, you know, the big risk was, you have a mainframe computer somewhere with some data in it, but predominantly, you had the paper records and the fax machine.
Great. Thanks, Clyde. And what about the accounting side?
That’s a great question, Lauren.
If you look at patient financials, there were a lot of the early computer programs and many of the company’s EHR vendors today started off by developing patient financial records, software. And those were standalone systems. They stood inside the hospital. They were generally in a server inside the hospital, and when the patient was discharged from a hospital, they would process the claims they would go ahead and have a coder someplace, either remotely or even in the hospital, code that information to the UB82. And eventually the UB92 claim forms. Those claim forms, even though they weren’t electronic, they were merely PDF images of a standard form. And we used to joke about, you know, the UB92, which stood for uniform building forms. But you know, there were 400 different variations of a UB92 out there. So, each insurance company had their own variation.
Those forms were then assembled into large PDF documents and loaded generally through FTP sites. So, the risk involved in doing that was the FTP sites, for the most part had generic accounts. Everyone in the hospital that was responsible for moving those around files shared a user account. There was rudimentary encryption going on a lot of times, they would use some of the, the inexpensive, archival unzipping tools. And it also had the ability to only do minimal auditing of who got into it. Because it was not generally a risk back then to the organization to have these files go missing, or to worry about who may have seen it, or you know, who may have gotten access to it?
So, what were the predominant risks back then?
Lauren, the risks 20 years ago were different than they were today or than they are today.
The predominant risks back then, we had to worry about faxes getting misdirected. With organizations moving especially on the ambulatory side. Phone Numbers changed a lot. So, we used to talk about, the biggest risk was having your medical records being faxed to Betty’s Break Shop and Bobby’s Bakery. And that happened a fair amount. But the thing to remember is back then, before the HIPAA Privacy Rule had the mandatory breach notification that went along with that, you know, so it went to the wrong place, you call up the other person saying, “Please destroy the records”, you make a note of it, and that was pretty much the end of it.
So, the consequences of a risk were that, you know, they were minimal. But even so, organizations were still required to perform that risk analysis, because when the HIPAA Security Rule was first published in 2003, you still had to do a risk analysis. And that risk analysis followed the National Institute of Standards and Technology framework.
Simply stated, what’s the probability of an advers event happening times the impact or the adverse impact of that event. And organizations, many of them develop a three by three scale. So, they would measure probability, they would measure impact, and they would measure it using a low, moderate, and high ranking. And using the intersection of low, moderate, and high probability, with low, moderate, and high impact, you ended up with a low, moderate, or high risk.
And it was assumed under the risk analysis methodology that you would always address the high risk first, and that created the one you know what’s under 164.308a1 having a risk management framework. And it assumed (correctly) that if you always address the highest risk, you will eventually move down the food chain of risk and end up with continuous improvement for your organization.
Well, that had some impacts to the culture. For example, your Chief Finance Officer, your Chief Information Officer, and your Chief Information Security Officers always looked at the highest risk. But many of those highest risk from the year 2000 and 2005 and 2008. Were never perceived as being urgent, because consequences were still low.
So, a fax going to the wrong location was a high risk. The consequence was “ehh we can deal with it”, you know, we’re not going to get fined the patient’s not going to sue us. And, you know, we can try to fix that by establishing, you know, auto-dialers or auto fax machines that track these phone numbers better and you know, you take out of the equation, someone missed dialing a phone number into a fax machine.
So, the same thing with a lost laptop, I mean, you know, back then organizations would lose a fair amount of laptops, but they didn’t have a whole lot of patient data on them. And they also did not have them encrypted. So, starting around, 2010/2011 and we saw the publication of the HIPAA Breach Notification rule. Now all of a sudden, a laptop can have a half-million-dollar or a million-dollar liability, if it has a lot of patient data on it.
The challenge was, from a culture standpoint, it was still dealt with as, quote a high risk. So the chief financial officer who for the previous 10 years was thinking here’s a high risk are the facts going in the wrong place, is now being presented with another “high risk” of we could lose a laptop, because There was a lack of education at the executive level that a change in risk rating because of impact was also going to change the amount of urgency in those risks.
So, we culturally did not do a good job of explaining that today’s high risk and yesterday’s high risk cannot be compared to each other.
And Clyde has the “high was never urgent” perception changed at all?
I think up you picked up on a very important point. That perception is starting to change, but we still find, especially, you know, with CEO level and C suites and the board members, they still have the perception that a high risk is a high risk, and they’re still thinking about well, I dealt with high risk before and they never came back to bite us we’ve got to do this.
But today, if we flash forward to what we’re seeing now we’re seeing new threats. And those new threats are things like hackers, hackers coming in and stealing, 10s of thousands or hundreds of thousands of patient records because those records are expensive, and they’re, valuable to the organization and they’re valuable to the criminals.
So, because they’re valuable, we also have bigger impacts with the breach reporting rule where it’s mandatory for organizations to at least consider that a ransomware event that touches patients data as a reportable breach even though that data may not have been exposed or removed from the organization, it is still considered by Office for Civil Rights to be a reportable breach.
We’re also seeing increased frequency of these events, especially with COVID.
Organizations are getting pounded, especially healthcare organizations are getting pounded right now with ransomware phishing attacks, malware, stolen records, and we also have to worry about insider threats right now, as some organizations are laying off for furloughing individuals, and the another there’s more insider threat and motivation.
The challenge is we are still using the same risk model that we use 20 years ago, and that is low, moderate, and high. The culture has not adapted they are still looking at a high risk, as being the top thing that needs to be addressed, but they’re not understanding the bigger impacts and increased frequencies that we’re seeing.
So, the high risk if you look at the two pieces, the probability, and impact. The probability has gone through the roof for a lot of organizations, the impact has literally gone through the roof. It’s costing organization millions of dollars right now, and legal fees and recovery fees and even ransomware payments to recover from these things, but the culture still sees high-risk today, high-risk yesterday.
So, we have to look at you know, how do we adapt that culture?
Clyde, what can be done to counter these issues?
Lauren, that’s where we have to bring a new reality into the healthcare risk management process.
The very first thing that we need to do is look at implementing formal enterprise risk management policies.
Those enterprise risk management policies will address a governance structure. who can make the decision and you know what data is needed? It also needs to talk about how frequently we review these risk management results, and you know, the risk analysis.
One of the things I’ve seen recently is organizations continue to take cybersecurity, privacy, and compliance risk and make risk decisions at a sub-optimal level.
So, what happens is, for example, if the CISO reports to the Chief Information Officer/CIO, and the CISO has to justify all of the risk and funding decisions with the CIO, and then that same CIO has to turn around and carry that forward to the next level. What happens is each level of the organization makes a risk management decision about cybersecurity at a level lower than it’s going to be fully addressed.
Think about medical device, for example, if medical device has to come forward with my highest risk is the legacy operating systems of 70% of the medical devices in the organization. And then they carry that forward to, I’m going to say, the Chief of Facilities if that’s who they report to, or the Chief of Procurement, if that’s who they report to then they have to justify that to that level of the organization. And then that second level person has to carry that decision to the next level, what happens is, you end up carving out the risk, to make it more difficult to actually come up with an enterprise-level program to address the risk.
Think about the medical device for example, if you have 70% of the medical devices, running end of life operating system and I’m talking windows 2003, Windows 2000, even Windows XP, no CIO would be willing to accept that on their network, but because the medical device operating system discussion was taking place outside of IT it never comes to the CIOs perspective. So, the CIO and perhaps the Chief of Facilities or the Chief of Procurement need to get together and say this is important for the organization because this is an organizational risk. It’s not a procurement risk. It’s not an IT risk, this is an enterprise-level risk.
In order to do that, you have to conduct executive training, you have to go back and revisit how the governance structure works in the organization. And you have to establish a new risk culture. That risk culture means that organizations then have the ability to analyze risk at the C suite level. And once those risk are analyzed, at the C suite level understand the impacts to the entire organization. At that point, I fully expect the appropriate resources and oversight and expectations will be communicated to the organization and the highest risk of today, not yesterday will be fully addressed.
Great, thank you so much Clyde for that information on the evolution of cybersecurity risk profiles and adjusting to the new reality.
A note to our listeners, for more information on COVID-19 related content, blogs, white papers, slide shares, and more podcast episodes, please visit www.cynergistek.com.