The what, why and how of security risk audits

The healthcare industry runs on data. Medical facilities share it to inform their treatment procedures and patients take advantage of it to direct their health choices.

But there’s a process to data exchange to ensure compliance and keep patients’ privacy protected, in accordance with HIPAA regulations. If vulnerabilities exist in EHR networks, information can be lost – or worse, stolen – opening the door to potential legal ramifications.

Security risk audits provide protection. But what, exactly, are security risk audits? What do they involve? Are they really all that necessary? Understanding their purpose can help you keep up with the ongoing demands of a tech-driven communication and compliance landscape.

What is a security risk audit?

Security risk analysis isn’t just a good idea – it’s mandatory for all medical facilities and offices to perform annually to be compliant with the rules and regulations established by HHS.

“Risk audits, or security risk audits, are required to ensure that the data being collected by any organization is securely stored, processed and handled by that organization,” said Srini Kolathur, director of EHR 2.0. Based out of North Carolina, EHR 2.0 is a third-party, HIPAA consulting and compliance services firm that provides facilities with the resources and knowledge they need to exchange data safely and in accordance with federal law. Kolathur has over 20 years of experience in managing information technology and has been involved in risk assessment for several Fortune 100 companies. In short, Kolathur knows what he’s talking about.

It isn’t just the law that makes security risk audits important, however. Kolathur said audits also help build patient trust, as they’re a good business practice that helps ensure data is stored properly. They also provide protections for medical facilities from lawsuits, as mishandled patient health records can easily wind up in the wrong hands, causing those affected to seek compensation.

“Data is money,” Kolathur said. “There are a lot of people who are interested in the data we’re storing. What we do is identify vulnerabilities, come up with a plan that mitigates them and continuously comply with [regulatory] requirements.”

What are the key elements to a security risk audit?

Although there’s a difference between security risk audits and assessments, they’re often used interchangeably because there are several layers to them. These include, but aren’t limited to, an analysis of what security measures presently exist, what threats were exposed or existed in the past and evaluating the likelihood of something happening in the future. All of these data points are documented and summarized to formulate a risk management plan .

Kolathur noted that there are generally two ways to go about a security risk audit – internally or externally, meaning handled by a third-party.  Although in-house is convenient, the negatives outweigh the positives.

“The risk is greater if it’s in house,” said Kolathur. “How are end devices handled by staff? Patient information might be stored in end devices accidentally. And if someone loses their device, they would have to report that incident to HHS.”

Kolathur stated that third-party organizations can provide strategies and services that encrypt end devices so that they are more secure.

Medical facilities aren’t wrong in wanting to keep their EHR in a single location. Nearly 95 percent of patients prefer their medical information to be stored this way, according to a 2016 survey conducted by Kelton Global.

The problem is, many of today’s medical offices, hospitals and practices lack the available capital to keep EHRs truly protected.

“We’ve seen a similar pattern in how the healthcare industry uses and adopts technology,” Kolathur said. “In my opinion, they are about five to 10 years behind the curve. Many do not understand the risks and the exposure they might have to their data due to the highly sophisticated hackers and state organizations that are lurking out there.”

Healthcare organizations are under attack, frequently targeted by identity thieves. According to the Ponemon Institute, criminal attacks are the leading cause of data breaches in the healthcare industry. A large percentage of healthcare organizations have already experienced a breach, with 40 percent affected by five or more since 2013.

Additionally, based on findings from the Identity Theft Resource Center, only the business sector experiences more breaches per year than healthcare.

It isn’t just external threats, either. Kolathur said it’s not unusual for data to be exposed unwittingly by healthcare professionals. According to research from Johns Hopkins University and Michigan State University, 53 percent of breaches are caused by internal negligence.

“Humans are the weakest link in the whole ecosystem,” Kolathur warned.

How third parties can help

Third-party organizations work to plug gaps by specializing in health information technology and compliance management services.

He added that customers need to protect their data as mandated by HIPAA, but funding makes that difficult when most spending is directed toward other places that are more treatment-centric. Cost-effective solutions give practices the leverage and efficiencies to attend to security vulnerabilities.

“You have to spend a certain amount of resources to keep up with security and technology because technology is changing every day,” Kolathur said. He added that with the help of third-party organizations a company, like EHR 2.0, can better examine existing architecture in healthcare facilities, the gaps that exist and implement a process-based approach to plug those holes.

As a customer of EHR 2.0, Tangible Solutions recognizes the importance of ongoing security audits and utilizes those audits to ensure the continued security of its hosting services.  If suspect your current security risk assessment program is insufficient or you’d like to learn more, feel free to contact us today.