Healthcare Risk Assessment Essentials

Wednesday, August 25, 2010

Jack Daniel


Health information technology (HIT) owners are faced with the growing demand—and challenge—of creating and operating a solid electronic health record (EHR) security ecosystem.

The risk assessment process necessary to begin this undertaking is the cornerstone in creating a strong information security program. It provides an organization with insight into the walled and non-walled security posture and thus, enables organizations to make informed security decisions.

But do HIT owners understand the security status along every perimeter, including practices? Do they know how to stay “out of the headlines?”

The majority of HIT owners focus on securing data within their datacenter walls but many have no clear understanding or focus of what threats and issues exist on the outside of those walls.

What measures are in place to deal with breaches, stolen data, hacker attacks, and theft? What people, processes, and technologies are needed to address these and other external factors?

One of the largest challenges facing HIT owners when trying to secure their organizations is vision.

Without properly enumerating all of the processes, technologies, stakeholders and their associated risks, it is nearly impossible to design and implement proper controls. The makeup of even a small to mid-sized healthcare organization can comprise of hundreds or even thousands of constituents.

When you add in all the processes and technologies these constituents rely on and use it can be mind-boggling! If clear vision can be established control design and implementation as well as information security decision making become easier and the risks posed to your protected information assets are decreased significantly.

The risk assessment process reviews existing administrative, technical, and physical controls both within and outside of your organizational walls. It includes analyzing against a best practice framework, and quantifying risks and gaps to create a program roadmap.

Properly followed, the outcome of this process is a comprehensive assessment of an organization’s security program, an actionable set of recommendations, and a clear roadmap and plan for remediation.

It will ensure your organization is secure on the inside as well as outside your walls while aligning compliance and business drivers providing critical vision into the organizations security posture. Furthermore, a risk assessment is required to satisfy Meaningful Use criteria to receive federal incentives.

To complete this risk assessment, a four-step process should be followed:


There are a multitude of drivers and objectives in every organization and identifying these early in the risk assessment process will ensure the results are a tailored fit for the organization. Things such as fiscal responsibility, staffing, regulatory drivers, business objectives, and operational drivers are “must have” knowledge when conducting a risk assessment.

The discovery phase is where all this information as well as any existing documentation pertinent to people, process, and technology will be collected. Once documentation is collected it is critical to sit down with each data owner or responsible person to understand the processes they use and the lifecycle of the information they are using.

This should be the longest phase of the assessment process. Ensuring all information is collected, processes are understood, and the drivers/objectives behind these processes are understood will provide the groundwork for a solid risk assessment with optimal value.·

Gather existing documentation (policies, procedures, diagrams, & other business and infrastructure documentation)· Identify key stakeholders; determine organization goals and objectives· Utilize Interviews/Workshops to identify existing controls, processes, technologies used


The assessment phase is where all the collected information is analyzed and quantified using a chosen framework. There are many frameworks available most notably some best practice frameworks such as those provided by the International Standards Organization (ISO,) National Institute of Standards & Technology (NIST,) and the Information Systems Audit & Control Association (ISACA.)

Best practices frameworks are authored more often than not agnostic or regulatory drivers. The recommended framework for a comprehensive assessment would be a “best of breed” framework rather than best practices.

A “best of breed” framework ensures the applicable regulatory drivers are mapped to a best practices framework so regulatory compliance can be something that is painlessly monitored and reported.

Once a framework is chosen the information collected is compared against the control objectives or statements within the framework which will result in a quantified current state of your organizations security posture as well as the pertinent compliance states if a “best of breed” framework was chosen.·

Review documentation and interview/workshop notes to identify gaps· Compare organization security posture to framework to quantify risk.


The output of the assessment phase will be a pointed list of the good, bad, and ugly of your organizations security posture. During the recommendation phase it is important to align these gaps and weaknesses with the drivers and objectives identified in the discovery phase and draft the applicable recommendations to close the gaps and correct any weaknesses.

Recommendations should be phased according to several categories such as Tactical (6-8 Weeks,) Mid-Term (2-6 Months,) and Strategic (6-18 Months and longer.) Phasing recommendations this way will ensure “quick fix” and “low effort” items can be remediated immediately while longer term items involving purchasing technologies or re-engineering processes can be well planned and involve all the proper stakeholders.

Document all findings and make actionable and prioritized recommendations for the organization’s security posture.


Once all recommendations are drafted they should be reviewed with business units and stakeholders to ensure they are suitable and aligned with the business vision and operations.

Review all findings and recommendations with business and technical leaders to ensure recommendations are suitable for the organization and align with business objectivesThis is how a well planned risk assessment can provide vision and key decision making information to stakeholders to ensure protection of critical information assets.

If security initiatives are not correctly aligned with business drivers, the program will become tactical in nature and ultimately fail. A security program needs to be strategic and evolve with updated standards and legislation, organizational goals, and emerging technologies.

A risk assessment needs to go beyond regulatory expectations to ensure an organization is truly protecting its sensitive information assets. Utilizing a best of breed or best practices framework will enable the organization to complete a risk assessment that will identify security gaps and control weaknesses rather than regulatory gaps.

If information assets are secured rather than compliant, emerging legislation will become a checkbox rather than a tactical financial black hole.

Direct Link: 

Possibly Related Articles:
Bio/Pharma Healthcare Provider
Risk Assessments Healthcare
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked