This week is National Health IT Week, and you may be wondering – what is the best way to observe this occasion? While planning for catastrophe may not seem the most celebratory activity, this week is a great occasion to start or review your organization’s risk assessment.

What is Risk Assessment?

Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for surgery. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.

How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.

How to do an EHR risk assessment

There are three basic steps – the time and effort they require depend upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth each time. This splits a huge project into something more manageable that you can revisit to add depth and detail, and to keep up with changes as they occur.

  1. Identify your assets and transmission methods:
    The first step in any risk assessment is to identify and document the EHR assets in your organization, anything that is used to input, store or transmit ePHI (electronic Protected Health Information): e.g., patient names, addresses, Social Security Numbers, email addresses, fingerprints or photographic images. Remember that ePHI could end up in places you might not initially expect. Patients’ names and email or physical addresses are likely to be found in appointment information, and their Social Security Numbers might be included in billing and insurance records. The most likely places for ePHI to be stored include laptops, hard drives or servers, backups, cloud services, mobile devices, smart cards and other portable media. Be sure not to forget web applications and non-Windows systems, such as medical devices, printers and scanners. When identifying transmission methods, consider all sources and destinations of information, including doctors, nurses, patients, insurance providers, backup services and cloud providers. These transmissions could take place via regular mail or email, text message, instant message or the web, or by Health Information Exchange, fax or network shares. Transmissions could also occur via apps for billing, patient management or prescription management, for example. You can start identifying this information by looking at current and past projects, as well as at existing policies/procedures. It is also incredibly useful to consult IT and other staff, as they may be using methods that are not documented. If you are in a small clinic that has all its information on one machine, this step may go quite quickly. If you are assessing a larger organization, this will necessarily be more complex and full of potential surprises. This is where a rolling risk assessment is particularly helpful: As your assets and methods of transmission evolve, you can note this in your documentation, so you do not have to restart the identification process each time you revisit the assessment.
  2. Identify risks and vulnerabilities:
    Once you have identified your assets, you can begin identifying the risks and threats to them. It is important to consider not just cybercrime problems, but also any other human-made, natural or environmental troubles that could befall your systems. That includes the possibility of disgruntled employees or contractors, power outages and weather-related damage, such as earthquakes or major storms. Do not dismiss any possible calamity at this stage, no matter how far-fetched it seems. Like the identification of assets, this step needs regular updating, since known vulnerabilities change frequently. This step and the following one is also collectively known as Business Continuity Management (BCM) – which simply means ensuring that your business keeps running, even in the event of emergency. My colleague Stephen Cobb has more information on BCM, with tips and resources for people looking to create a Business Continuity Plan.
  3. Assess the relative likelihood and impact of threats and vulnerabilities:
    Once you have got all those disastrous scenarios listed, it is time to create a matrix that ranks them in terms of severity of impact and likelihood of occurrence. Some problems are minor, but likely to occur; others are more severe but unlikely. You will find it helpful to get multiple perspectives on the relative probability of threats materializing, so consider enlisting outside experts for help at this stage.

Once you have documented all of the above, you need to review the measures you already have in place to help avoid, mitigate or transfer risk – for example, anti-malware protection, encryption, firewalls, and two-factor authentication. Are you missing any of these? What about cybersecurity insurance and employee education? You also need to plan for testing and deploying software updates and patches on your machines, including mobile devices and embedded systems. Any gaps should be documented and then addressed. When considering the cost and effectiveness of the countermeasures to address gaps, it is important to balance this with the value of the asset being protected.

But do not stop there. Risk assessment should be an iterative process that is an ongoing responsibility, rather than something you do once and consider complete. Business environments, the threat and vulnerability landscape – as well as defensive technologies – are all constantly changing.

Additional resources

Internal Auditor article with more info on where to audit:
http://www.theiia.org/intAuditor/itaudit/archives/2008/january/assessing-it-risks-in-the-health-care-industry/

SMB Risk Assessment tool:
http://www.healthit.gov/providers-professionals/security-risk-assessment

Health and Human Services security and privacy training materials:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html

Risk Assessment Frameworks:
http://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment

Computer Security Handbook (especially chapters 58, 59 and 62):
http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118127064,subjectCd-AC03.html