Risk Management

Security Gap

Experts weigh in on most common gaps in security and how to avoid pitfalls

In the age of cybersecurity, there are numerous factors to consider. HIPAA requirements are at the forefront, but other requirements and necessities exist and have been known to slip through the cracks if one becomes too focused on only HIPAA.

Fortunately, people like Rob Valdez are out there, considering every possible risk or leak and keeping businesses secure. Valdez, CPA, CISA, CISM, works in risk advisory services for Kaufman Rossin. Valdez is also the president of ISACA South Florida, an organization with over 1,000 members. ISACA serves as a leading global provider of knowledge and certifications on information systems assurance and security.

“Our clients have plenty of requirements—for healthcare clients, that includes HIPAA—and as a result, they have a number of rules to follow and notification requirements,” said Valdez. “We’ll perform a gap analysis by gaining an understanding of where they are currently, then perform an assessment of their program.”

Once the assessment is complete, Valdez and his team provide remediation recommendations and other advice to help the organizations improve. “We want them to understand where they can grow most,” he explained. ‘Where can they improve to ensure they’re protecting patient data, keeping information secure, and meeting any other requirements placed on them by the regulations?”

For Valdez, often the biggest challenge can be helping organizations—especially smaller ones—gain a concept of where they stand from a risk management standpoint. At the same time, larger organizations are often aware that a problem exists, but have no concept of where to begin solving it. Juggling these two concerns can be tricky.

“As it relates to HIPAA and security, the number-one thing that causes penalties and enforcement actions from government agencies is the lack of a risk analysis,” said Valdez. “I can’t state strongly enough the level of priority organizations need to place on performing a thorough risk analysis.”

At times, this can be as simple as a brief walkthrough. Other times, it’s much more involved. “Risk, analysis—these are words we use on a daily basis in our own context,” said Valdez.

“But when HIPAA security rules ask for a risk analysis, they mean something very specific.”

A HIPAA-specific risk analysis consists of identification of assets, assessing threats and vulnerabilities, and a thorough evaluation of safeguard protections against these threats. “It’s a way to see where you stand,” explained Valdez, “and it’s also a way for an organization to know whether they’re prioritizing the things that should be important.”

Kevin Fine, MHA, is Kaufman Rossin’s director of healthcare advisory services. He clarified that when a hospital receives a fine or other disciplinary action under HIPAA, they enter what’s known as a corrective action plan. This plan can span years for full implementation.
“For 3–5 years, a neutral party like Rob’s team comes in to perform assessments with complete neutrality to prove and to ensure that under the terms of the corrective action plan, [the company] is meeting the terms set forth,” said Fine.

That means every time we read about a hospital system incurring a fine—often in the area of several million dollars—these neutral party are brought within the walls of these hospitals to prove the validity of their risk assessment measures. There’s no gray area either—fail to bring in this neutral party, and the financial penalties continue to accumulate.

The good news is with professionals like Rob Valdez and Kevin Fine available, hospital systems should never reach the punitive portion of this process. “One of our goals in protecting our clients is ensuring they never arrive at that point,” confirmed Valdez. “We’re here to ensure they’re doing the things they’re supposed to do. If an unfortunate event such as a data breach were to occur, that’s when you start looking at a worse scenario.”

But much as an otherwise healthy person is advised to visit their doctor annually, risk-averse organizations should be striving to maintain that status by undergoing regular risk checkups.

“One thing we know in the healthcare environment,” said Fine, “is that it’s impossible to bullet-proof a system because of the sheer amount of technology and the fragmentation in this environment. You’re always putting your best foot forward, showing that you’re putting forth a good-faith effort and preparing for all possibilities and scenarios.”

At the end of the day, however, you can’t control human nature. There’s just no way to stop, say, an employee from walking off company property with a computer and selling data. “It’s just not 100 percent bulletproof,” Fine reaffirmed. “Our focus is putting in the controls, educating from an individual, group, and organizational standpoint. It’s the organizations who hit a breach, or another bump in the road and don’t do anything that incur the greatest amount of corrective actions. The idea is to be proactive rather than reactive.”

In our next installment, Fine and Valdez discuss employee training, including an activity known as ‘phishing simulations.’

About The Author