Healthcare Advisor: Data Security: Is Your Organization Doing Enough to Protect Against Threats?

May 24, 2016 by Bonnie Bastow, CIA, CISA, CISM, Director of Risk Advisory Services & Ira Bedenbaugh, Healthcare Principal

Continued advancements of firewalls, intrusion detection devices and security monitoring software offer organizations across a host of industries new levels of security against cyber-attacks. At the same time, these measures and other steps taken by Information Technology (IT) professionals cannot eliminate every threat from hackers, scam artists and even employees intent on obtaining, sharing or selling data for their financial gain.  Additionally, IT security measures can’t always prevent an employee’s unintended exposure of non-public or proprietary data.

In today’s environment, investments in the latest security hardware, software and services can create a false sense of protection for organizations. The reality is that all organizations have some level of exposure to potential cyber threats. The quality and depth of the measures that are in place and the comprehensiveness of an organization’s strategy to mitigate and respond to cyber events are two of the main considerations for an effective cyber security plan.

According to a Data Breach Investigations Report from Verizon, results showed that approximately 87 percent of all breaches could have been avoided by implementing simple or intermediate internal controls. Verizon has further noted this vital observation regarding IT Security: “Some organizations will be a target regardless of what they do, but most become a target because of what they do (or don’t do).”

Responding to the Cyber Threat Revolution

As cyber threats continue to evolve, it’s not a question of if some type of breach will happen. The more relevant questions have become when will it happen and what form will the breach take. To be clear, this is not an IT-only issue. IT security and internal controls have become an important company-wide concern. Internal controls are the responsibility of everyone in an organization. Given the ever-present danger of the threats that exist, it’s short-sighted for any organization to place the entire burden of IT security on IT departments – particularly those that are already stretched to the limit in relation to manpower and resources.

The IT resources for a small or mid-sized company are typically limited when compared to today’s cyber threats and the damage those threats can inflict. The reactive stress on the daily demands within existing in-house IT Departments can divert resources away from proactive tasks of managing security and cyber threats. For many organizations, the trend in recent years has moved toward less IT staffing as companies have sought to realize savings by keeping the number of full-time employees to a minimum and utilize specialist where needed. As a result, companies are relying more on third-party vendors to assist with security aspects; however, this does not necessarily reduce overall risks.

Organizational Challenges & Real-Life Scenarios

At the small- and mid-size healthcare business level, IT security is overseen by the CFO, the CEO or the practice administrator. Some organizations will even choose to outsource their IT security oversight. Generally speaking, CFOs and CEOs are not well-versed in the technical aspects of IT Security. The trap of believing that a third-party resource has the security needs sufficiently covered awaits all senior executives who engage or oversee the work of external IT resources (vendors or contractors). The simple reality is no group of external resources nor team of employees can totally eliminate cyber threats, and the false sense of security senior executives can hold regarding potential exposure to cyber criminals or bad actors accessing their systems can be as dangerous as the threats themselves. Further within a healthcare setting, many organizations are dealing with multiple facilities and locations. These can range from the sophisticated large hospital to any number of remote facilities that operate more like small businesses. The healthcare industry features corporate office operations with a core staff and locations that are spread across multiple states, as well as  home health, nursing homes, imaging centers and other medical facilities – all of which have IT security needs.

In-house IT staffing at small- or mid-sized companies can typically range from one to four full-time employees. These professionals are usually assigned to oversee the operation of the network, handle any issues with the email server and work with the printers on site. Along with other daily IT maintenance and support tasks, they may be called upon to support certain applications, especially those that are critical to the daily operations of the business.

Within small- and mid-sized business settings, the CFO or CEO is ultimately placing a great deal of trust in their IT people and vendors. Often times, those CFOs or CEOs who are overseeing the IT activities of their companies don’t know the questions to ask in regard to IT security. Unless they hold expertise in the intricacies of systems operations, most senior executives will likely have difficulty challenging their IT teams on points related to security of their data and systems.

Consider Scenario No. 1: A phishing email is sent to a small company. The phishing e-mail appears to come from the CEO directing the Controller to make a sizable payment of funds, typically via a wire transfer. Lacking the proper security protocols, the money is disbursed into the account of the hacker. Phishing scams along these lines are both commonplace and effective in breaking through the minimal procedural security measures set up by small- and mid-sized businesses. In many cases, it takes an event like a phishing email and/or a breach that leads to a financial loss before the leadership at many organizations will realize that it can indeed “happen to them.” From that point forward, IT Security and internal controls become a priority. According to a Verizon study on data security, phishing scams are the easiest and most frequent initial point of entry “into” an organization.

Questions to Consider in Evaluating the Quality of Data Security & Internal Controls

Assessing the quality of an organization’s data security and internal controls requires an in-depth analysis. There are a myriad of questions to be considered, including the following:

  • Does your company or organization have a current cyber security program? If so, when was the last time any the following were performed:
    1. A cyber security risk assessment?
    2. An internal network vulnerability assessment?
    3. An external network vulnerability assessment?
    4. A penetration test (exploiting vulnerabilities identified during network assessment)?
    5. A remote social engineering (Spear Phishing) assessment?
  • When was the last time your company had an independent assessment of your IT environment?
  • Do you know if your organization has solid IT controls in place to maintain a secure environment?
  • Do you have any concerns related to your Information Technology or Information Security?
  • Has your IT organization experienced a lot of turnover, or do you any concerns related to the knowledge level of your IT team?
  • Has your company had (or are there plans to have) any new financial systems implemented during the current fiscal year? Have you significantly changed the program logic to any of your key financial systems?
  • Are you planning, or have you recently completed, an acquisition or do you expect to significantly expand your business acquisitions?
  • Is your company experiencing significant business growth?
  • Is your company planning to go public or is it being positioned to sell within the next two years?

Physician’s Practices & Increased Risks of a Security Breach

Considering the challenges faced on a daily basis, a physician’s practice stands at an increased risk of falling prey to a security breach. While the focus is obviously on the medical needs of its patients, a physician’s practice is also a small business operating under federal mandates such as the Health Insurance Portability and Accountability Act (HIPAA).

In addition to the protocols related to IT security considerations discussed here for small- and mid-sized businesses, physician’s practices must implement internal controls designed to safeguard the electronic protected health information (ePHI) of their patients. The stresses on IT resources within a physician’s practice are magnified because the systems and personnel resources must be able to support both the operational business needs and the requirements related to all ePHI.

The healthcare industry was recently notified by the United States Department of Health and Human Services (DHHS) that the agency has begun the process for Phase 2 HIPAA audits for covered entities and business associates.

The Office of Civil Rights (OCR) has been assigned by DHHS to serve in an investigative and enforcement role that will seek to identify best practices, while proactively uncovering risks and vulnerabilities to ePHI. For those healthcare entities selected for a HIPAA Phase 2 audit, the OCR will review the security policies and procedures utilized by entities and employees involving ePHI.

The reviews will focus on whether or not the entities and employees meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. While the majority of these reviews will be “desk audits,” the OCR plans to conduct some on-site audits as well. Compliance with the provisions outlined in HIPAA Phase 2 is critical to the operation of a practice. Violations of the Security Rule that are discovered through an OCR audit could result in fines exceeding $1 million. To learn more about Phase 2 HIPAA audits from an alert recently issued by Elliott Davis Decosimo, please click here.

Consider Scenario No. 2:  An employee of a health care provider downloaded a report that contained ePHI and stored the data on their company-issued laptop.  The laptop was stolen from the employee’s vehicle, resulting in a security breach reportable to the OCR.  A HIPAA Security Rule Assessment performed by Elliott Davis Decosimo, prior to the breach, identified that the practice was at risk because the hard drives of their laptops were not encrypted.  This breach occurred after the Assessment, but it happened before the company had encrypted all of their laptops. Fines for an event like this can range from $1,000 to well over $1 million.  Additionally, these types of reportable events can result in reputational risk exposure because all reportable events are public information.

We Can Help

At Elliott Davis Decosimo, our professionals have the right kind of expertise with financial, operational, and IT controls to evaluate the overall cyber security risks of an organization and assess the  most significant needs going forward. Our approach is based on taking a defined set of controls and applying those standards to our clients’ infrastructure. Our process is initially facilitated through inquiries with management, review of policies and procedures, and other related documentation.  Our process may also include verification procedures to evaluate the operating effectiveness. Not only does our firm’s report highlight risk areas and potential vulnerabilities, but organizations can use this analysis to assist in prioritizing spend dollars for an upcoming budget year, including the addition of training for employees on cyber security threats and regulatory requirements such as the HIPAA Security Assessment. To learn more on what our firm has to offer in the area of internal controls and data security, contact your Elliott Davis Decosimo advisor or Bonnie Bastow. Email Bonnie by clicking here. If your practice or hospital has IT needs specific to healthcare issues like the HIPAA Security Rule Assessment, contact Ira Bedenbaugh via email by clicking here.

Printable Version