Category: Uncategorized

New Study Shows That the Global Cost of a Data Breach Is Up in 2018

The Ponemon Institute recently released its annual Cost of Data Breach Independent Study that was sponsored by IBM Security. This study included two new factors that impact data-breach costs: Artificial Intelligence (AI) and the all-encompassing use of Internet of Things (IoT) devices.

The analysis also factored in the cost of a “mega breach” — the breach of 1 million records or more — and also used a formula to measure the financial cost of customers’ loss of trust in a company.

According to the 2018 Cost of a Data Breach Study, around 25 percent of all U.S. data breaches were recognized as carelessness or user error. The study stated that users consistently failed to properly erase data from devices. The study also reveals that negligent breaches are about half as frequent as criminal breaches.

The rate of data breaches is rising, and they are costing companies more to manage. U.S. businesses are shelling out about $7.9 million per year to fight off and recover from data breaches.

Root Causes by the Numbers

The study made known that malicious or criminal attacks caused the most data breaches at 48 percent. 27 percent were due to human error, and 25 percent were comprised of both IT and business process failures (system glitches).

Data Breach Cost Is Up in 2018

In this year’s study, the average cost of a data breach per compromised record was $148, and it took companies 196 days, on average, to uncover a breach. Based on these averages, The Ponemon Institute determined that the per-capita cost, average cost, and overall cost have swollen in 2018.

With the U.S. leading the way at almost five times that of the global average of notification costs, the Middle East had the highest percentage of the most expensive type of data breaches: Malicious or Criminal Attacks.

Globally, here is how the numbers broke down:

The Size of the Breach Does Matter

The Ponemon Institute’s 2018 report found that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.

The study also revealed that a “mega breach” (what the Ponemon Institute deems as 1 million compromised records) can cost upwards of $39.49 million. As expected, this figure goes up as the amount of breached records grows.

The Consumer Impact

According to the report’s findings, organizations globally lost customers due to data breaches in the past year. But it also pointed out, businesses that put in the effort to improve customer trust reduced that number significantly. When a Company’s senior-level leader, such as a CEO or CISO (chief information security officer) addressed customer’s security concerns and pointed to fixing the issues, businesses lost fewer customers and reduced the overall cost of the consequences of a breach.

The Effects of AI and IoT

The 2018 study, for the first time, assessed the effects of a company implementing Artificial Intelligence (AI) and the use of Internet of Things (IoT) devices. The conclusion is AI security platforms have saved companies an average of $8 per compromised record at identifying and containing breaches by incorporating machine learning and analytics. So far, just 15 percent of companies reviewed in the study said they had fully implemented AI. At the same time, businesses that comprehensively use IoT devices pay on average, $5 more for each compromised record.

How Companies Can Reduce Data Breach Costs

In total, The Ponemon Institute’s 2018 report included 477 companies. It found that the mean time to identify a breach was 197 days, while the meantime to limit a breach is 69 days.

There are, however, strategies that support businesses and work on lowering the likely cost of a data breach. This is the 13^th year of The Ponemon Institute’s study, and an alarming trend has reared its ugly head. For the fourth year in a row, the study found a connection between how fast a business detects and contains a breach and the sum of the total cost when all is said and done.

Conclusion

The study found that, above all, preparation and vigilance is crucial. An incident response team can reduce the cost of a breach by as much as $14 for each breached file from the average per-capita cost of $148. Comparably, extensive use of encryption can cut the cost by $13 per person. What all these statistics mean is that companies can reduce the cost of a data breach and reduce the negative effects to their company simply by being prepared. Your company needs a data breach team on staff who knows what to do and how to respond should any type of breach occur.

Identifying the Right IT Services Provider for Your Business

IT service providers, also called managed services providers (MSPs), are in the business of managing a company’s IT needs.  IT service providers can offer their services both remotely and on-site. They normally render their services by one of two ways:

• On an output-basis model
• On a fixed-price subscription model

Pricing Model Breakdown

IT service providers often offer pricing models that are broken down per-device, per-service, per-user, and an all-inclusive subscription model. Since managed service providers charge for their services using several pricing models, it’s wise to evaluate what the essential needs of your business are in order to get the best bang for your buck.

The Balancing Act of Business Growth and IT Support

As your business starts to take off, your IT support will need to increase as well. Navigating both where your business is headed and how to manage that growth with proper IT support can be a delicate balancing act. So often, business owners tend to focus on growing their business rather than on their IT support, leaving their company open for easy attacks from online predators.

What exactly do businesses need to look for in a managed IT services provider?

Ability

The first thing to look for is an IT support provider that has a proven track record of hiring and employing properly trained employees that are well versed in both IT and the company’s vision.  Look for company reviews with remarks stating that their staff is furnished with the right skills and experience to successfully execute all the expected IT tasks.

Another important item to look for is their certifications from top IT trade organizations, such as the Computing Technology Industry Association (CompTIA) or Microsoft Certified. These credentials are proof that the IT company takes training their team seriously.

Quality Customer Service

Another important factor to look for when finding the right IT provider is how quickly and effectively they respond to your company’s needs. Normally you can find this out by asking about their help desk software and ticketing system. A capable ticketing system that has a history of correctly prioritizing IT glitches is necessary for a fluid IT support team. The better the provider’s help desk and ticketing system, the more efficient the managed services provider will be. They should demonstrate a good system of keeping track of all their tasks and assignments. That way, your IT issues won’t get lost in a heap of paperwork lying on someone’s desk.

Budget Planning Value for Your Company

Too often the majority of a businesses’ IT budget goes to unexpected expenses. This puts a strain on making crucial planned improvements. You can’t purchase new computers or software when you need it. Your employees aren’t productive and there’s a higher rate of frustration in the workplace. Fortunately, a good managed IT service provider will offer managed services at a fixed rate to ensure your business runs efficiently and affordably.

By customizing the services that you get, you can focus on specific services that fit your company’s needs, such as:

• Cybersecurity
• Daily backups
• Disaster Recovery Planning

On-Call IT Support

A necessary service for most companies is fast IT support. You never know when servers or computers might break down. Who can you call for any problem? Will they get there right away?

When combing through a company’s review section, look for their quick response rates and their on-site support. A good IT provider will be adept at hiring experts in their respective fields that they can turn to when you have a problem.

Much of the time, managed service companies can remotely diagnose and repair common errors. However, some issues cannot be resolved remotely and need to be handled on-site. Look for a company that has a reputation for being there when you need help. They should work to establish and nurture a good business relationship with you by responding quickly to your IT needs.

Cloud Integration Services

With the emergence of cloud technology, protecting your company’s data is essential. Just about every business now relies on data acquired through different means. Today, almost every IT provider offers data backups as part of their service.  They normally offer different pricing options based upon the frequency of backups and the incorporation of other cloud-based services.

Just like disaster recovery planning, routine backups provide insurance against all types of disasters. It simply makes sense to back up your data frequently to avoid any type of threat to your company’s files.

Monitoring Cybersecurity

Cyberattacks are becoming more prevalent and causing major disruption and damage to even the strongest of companies. Hackers can easily breach outdated software after determining the unpatched software’s security flaws. Look for an IT services provider that has a proven track record of not only monitoring a company’s cybersecurity, but regularly testing it as well.  A good IT services company will keep all software updated and secure.

IT consulting companies manage large data centers and put multiple layers of protection in place, but companies can still be breached by hackers. All it takes is one careless employee who clicks on the wrong email attachment. Employee training is a must these days. And it usually works better if you can provide quarterly training for employees. They do get busy and forget and this can result in disaster.

Summary

Keeping up with the ever-changing world of information technology means exploring new solutions as they become available to your business. When searching for the right IT services provider for your business, look at their years of experience. Check the type of industries they have worked with. Read over their client’s testimonials and reviews. When setting up a meeting with the IT company, make sure to have a summary of your business needs on hand. Come armed with a thorough list of questions for the IT consultants. With in-depth research, you will be able to determine the right IT managed services provider for your business.

More and more dental practices are outsourcing their IT needs, and are reaping the benefits of such a choice. By using a vendor, you are able to maintain better control of your IT budget, you can leave the headaches and complexity of IT technology to the experts, and you can save on office space (which is often at a premium), as well as hardware costs. However, it can be tricky to find the right provider for your dental practice, so here are seven things to look for when outsourcing your IT services.

They Take Security and Privacy Very Seriously

Dental offices are not immune to hacking and data theft. In fact, personal health information is a very desirable target for hackers. A solid IT provider will make sure that your system has up-to-date security software and tools to protect that data. This can include firewalls, encryption, anti-virus, web filters, and anti-malware software. It also entails keeping security software and tools up-to-date and patched.

No dental practice can afford to have a hacker prowling around in their patient’s data. In fact, ransomware crimes are escalating in the healthcare sector. Imagine logging into your network only to find that hackers have seized all your patient records and are holding them for ransom. Either you pay or you could lose everything. Consumers are not very forgiving when they hear that a favorite store or medical practice has been hacked.

An often-neglected aspect of security is not only making sure your data is backed up, but can be quickly recovered if an issue should arise. A good IT provider should offer a system that allows you to seamlessly continue normal operations while repairs are being performed. You can’t afford to lose access to patient files, billing information, and scheduling. Any good IT services provider should rank your network security as a number one priority.

Support HIPAA Compliance

The importance of HIPAA compliance cannot be overestimated, and you need an IT provider that is not only well-versed in the rules and regulations involved, but is as dedicated as you are to preserving the privacy of your patient’s information. A good dental IT vendor will be committed to securing your patient’s sensitive information and will offer tools and features to help support HIPAA compliance.

They Understand the Practice Management Software You Use

Dental practices have IT needs that are far different from other types of healthcare practices. It’s important to find an IT provider that is experienced not just with dental practices but with the particular type of practice management software you use. It is vital that they efficiently integrate the IT services they provide with things like patient clinical charting, radiographs, and digital x-rays. To do this well, they must be familiar with the type of software you use.

They Focus on Your Needs

A good dental IT provider will be focused on the specific needs of your practice. Before anything is implemented, you should expect your IT provider to perform a thorough review of your technology requirements. And when outsourcing your IT, make sure they understand not just the ins and outs of IT, but the special challenges involved with a dental practice. This way they can integrate the most important components of your dental practice with an effective, reliable IT system. This will ensure better productivity for your staff.

They Support Cloud Services

Another key feature to be considered when shopping for an IT provider is cloud services. Cloud services can save on the cost of (and space required for) server hardware. The cloud makes backup and disaster recovery easier and more robust. If you choose to go with a paperless office, then cloud services are your best answer. In fact, cloud services can make HIPAA compliance easier as well. There are a lot more great reasons to choose the cloud and your IT services consultant should be able to spell these out for you.

They Can Help You Scale

As your practice grows, your IT needs are going to expand. Make sure that any IT services company you are considering can help you easily scale up your IT resources both in terms of hardware and software. Whether it’s setting up additional storage for your practice’s file system or installing an upgrade of your practice management system, they should be able to fully support your needs not just now, but in the future.

They Are Strong on Support

Having the most state-of-the-art, robust IT system does your employees little good if there is poor customer support. Check into what types of remote support any potential IT providers offer. Let’s face it: when the IT network goes down, it limits access to critical files and you need that access restored ASAP. Imagine the chaos that can quickly result when your staff can no longer pull up a patient’s chart or schedule appointments.

Another aspect of support is onboarding, where the IT vendor provides you and your employees with training. Good training for your employees is vital. They may need extra help in dealing with the bugs that seem to go along with new software installations.

Conclusion

If you are planning to outsource the IT needs of your dental practice, keep in mind key factors like security, HIPAA compliance, scalability, and support. Also, don’t forget to make sure they are familiar with the practice management software you use, as well as dental office needs in general. Finding a suitable IT services provider can be challenging, but you’ll be glad you made the switch to outsourcing if you take the time to find the right IT provider for your dental practice.

EHR interoperability – considered by some to be the “holy grail” of electronic health record systems – may be a little closer than you think. This summer, a new architectural innovation will be implemented that is guaranteed to positively impact the way different EHR systems exchange information with each other.

o

Interoperability

In the context of electronic health records (EHR), Interoperability refers to the ability of healthcare providers using two different EHR systems to be able to exchange patient information. A combination of standards and architecture are required in order to achieve this type of data exchange between different (and often competing) systems, and past attempts have been hampered by a wide variety of issues and concerns. However, things are about to take a dramatic turn through the work of two powerful influences in modern EHR development.

Who Is Involved

The major players in this undertaking are CommonWell Health Alliance and Carequality. Carequality works under the Sequoia Project and provides the necessary framework needed for successful data sharing among EHR systems.

CommonWell Health Alliance, on the other hand, is a network or trade association of EHR vendors. CommonWell’s goal is to make interoperability among EHR vendors a reality. Any medical facilities or doctors who use a major EHR vendor will benefit from this collaboration.

Major Accomplishment in Interoperability

CommonWell and Carequality are preparing to go live with a health information exchange that will allow doctors to share Continuity of Care Documents. This breakthrough in interoperability includes all major EHR vendors as well as the hospitals and clinics that subscribe to them. A doctor in one hospital that subscribes to a major EHR vendor will be able to exchange patient data with any other doctor that also subscribes to a different EHR vendor.

The collaboration between Carequality and CommonWell actually began back in 2016. As a result of this collaboration, Carequality created their own version of CommonWell’s record locator service. This will allow Carequality members to search patients in CommonWell’s network. CommonWell, in turn, implemented Carequality rules, which is making it possible for network members to easily query each other. This phase of interoperability is due to go live this summer, barring any unforeseen delays.

What This Will Mean for Healthcare

Once the current information exchange goes live, an estimated 80% of doctors will be able to share their patient data – even among EHRs that are fierce competitors. For those in the medical field, the ability to share patient information across EHR systems – especially as the interoperability continues to evolve and expand – will support more informed decisions about patient care. Decisions can be made more quickly and providers will have far easier access to critical patient data. This will reduce ambiguity that can adversely affect patient care and recovery. It also enables better and more efficient workflows, and no doubt will have a positive effect on patient satisfaction as patients will receive better quality care.

Current Limitations

The dream is, of course, for a physician to quickly and easily track down tiny details of a patient’s information (e.g., medication allergies). The technology and software have not progressed to that point quite yet. At this stage, physicians using major EHR systems will be able to search for and access Continuity of Care Documentation, which is basically a data dump of information about a patient.

Challenges and Concerns

It is natural that some resistance to cooperation would be present from vendors because it does not seem like good business to facilitate a client’s ability to connect with services from your competitor. Some physicians may have concerns about making it too easy for a patient to seamlessly transfer all their medical records to a different doctor. Another issue that causes difficulty for vendors is that they have clients over a continuum of sizes, from small, one-physician clinics to massive hospitals. Trying to ensure interoperability between clients at opposite ends of the spectrum may be problematic as the architecture progresses further.

Another critical challenge is one that can only be overcome by forging forward: bugs and unforeseen technical issues that arise. These can only be found and dealt with after the interoperability architecture goes live this summer, and actual users begin to interface with it in a clinical setting.

Conclusion

The ultimate goal, according to CommonWell and Carequality, is for a patient’s healthcare information to follow them wherever they go, regardless of what EHR vendor the medical facility uses.  This, in turn, means that healthcare information is no longer bound by geographical boundaries. However, this dream cannot become a reality without a robust framework of standards, which is already being successfully developed through the hard work of Carequality. The process will require collaboration among sometimes competing EHR providers, which is already taking place thanks to the CommonWell network community and positive cooperation among vendors.

What’s A Blockchain?

A “blockchain” is basically a financial record similar to that of a spreadsheet, only for bitcoins and other forms of cryptocurrency available publicly and online. As the use of cryptocurrencies has evolved, it has created some innovative business opportunities. According to MIT Technology Review, the transparency and trust created through them have increasingly facilitated trade across the world in a number of ways.

First of all, they are publicly available, and access to the records is superior to that of public access to annual company reports. Many organizations do not produce annual reports out of a lack of obligation. The extent of transparency and detail in blockchain records generally exceeds those provided through annual reporting methods. This can allow investors to have more insight into trends and opportunities for investment, trade, and other forms of business growth.

The Rise of Bitcoin and Other Cryptocurrency

Bitcoins are the most common form of cryptocurrency recorded in these newer and more unique forms of financial transactions. They were initially used in 2009 with some trepidation, but have become so popular that, today, you’ll find hundreds of different forms of digital currency, now generally referred to as cryptocurrency.

Soon after the bitcoin was introduced, people began developing cryptography tools for public use, including the blockchain. Cryptocurrency was considered valuable because it provided a global means of completing financial transactions. Due to the complex nature of the bitcoin, it is nearly impossible for individuals or organizations to spend the same bitcoin currency twice.

This successfully addressed the previous challenges with digital currencies and effectively removed the demand to establish and maintain a central authority to mediate such electronic exchanges. Cryptocurrency transactions can be difficult or impossible to trace. That’s why they’re most often used by hackers when requesting ransomware payments from their victims.

Approximately two years after introduction, bitcoins grew from novelty to the preferred payment method in online commerce. “Altcoins,” a comparable cryptocurrency, were developed after bitcoin as an alternative form of digital currency but used the same open-source code for bitcoin. There were some slight differences between the two.

At this time, approximately $1 billion dollars’ worth of bitcoins and other cryptocurrencies are in circulation. Developers realized that blockchains could be more useful to other areas of common business operations as well. Normal steps in the development and use of a blockchain include the establishment or creation of a business transaction. This most often involves the sending of a form of cryptocurrency in exchange for a product or service. They’re also used for all types of investment and financial transfers.

The placement of a line of code representing the transaction as a ‘smart contract’ is initiated when specific conditions are met within the program. The sending of a broadcast to an access network on nodes and the ongoing listing of node subsets are referred to as ‘blocks’ within a ‘chain.’

More on the steps in the creation of blockchains and their history is available through MIT Technology Review.

What Other Uses Does It Have Currently?

With the fundamental added advantages of business transparency and prediction potential, blockchains have created exciting new business opportunities. According to Ignite, as their popularity has grown, they have affected a range of indirectly related aspects of business ranging from the manners by which banks transfer money to how medical records are handled.

Also referred to as ‘shared ledger technology,’ the transparency and trend perception is expected to become commonplace for the majority of business transactions. With over half of businesses now using them, increased opportunities for investors and small businesses, in general, are expected to escalate for an overall positive economic impact.

The use of cryptocurrency increases competition, diversification of products and services, and increased trade opportunities around the globe.

An example of improved business opportunities on a larger scale is the case of the New York City Depository Trust and Clearing Corporation, which began to use blockchain to more successfully facilitate their transactions. Experts attribute this to the success of $11 trillion dollars’ worth of transactions funneled through cryptocurrency technology.

More specific business uses include their infiltration into the banking system, once hesitant to use this form of digital currency. Cryptocurrency was originally thought to be unstable, as it was not backed by gold or other tangible assets. But today, many financial institutions have accepted the use of digital currency due to the increased speed and safety in making financial settlements.

Additionally, other organizations can increase efficiency by using the smart contract in the automatization of their agreements, with high potential for increased speed especially applicable to supply chain management and manufacturing. In addition to transparency, there is increased accountability, helping organizations to experience increased security over previous forms of common practice in transactions and records. This is why, as introduced above, the technology is even beneficial to the healthcare industry and medical records. More on how these areas, communications technologies, and other industrial developments can benefit from blockchain is available at Ignite.

According to The Economist, blockchain and smart contracts have even benefitted the way companies pay employees, the nature of cloud storage, and electronic voting. It seems increasing use and development continues to give rise to further opportunities, as organizations realize the potential benefits of using cryptocurrency and block chains over traditional financial transactions.

Can You Use Blockchain?

If you have the resources and other means required for conversion, your organization could benefit from blockchain if you are seeking increased security or efficiency in:

• Banking transactions
• Medical records
• Manufacturing or inventory records
• Communications records
• Employee payments
• Electronic voting
• Cloud storage records

Even if your organization does not have a strong emphasis in any of these areas, the increased transparency and universal appeal of cryptocurrencies may be sufficient to warrant gradual integration.

As of 22 February 2018, the Notifiable Data Breach (NDB) scheme went into effect and included in its requirements is a mandatory data breach notification.  Failure to correctly notify those affected by an eligible data breach can result in fines of up to $2.1 million, besides potential compensation for affected individuals.  There are certain things that every Australian organisation needs to be aware of when it comes to mandatory breach notification.

To Whom Does It Apply?

The NDB scheme applies to organisations and agencies that have personal security information obligations under the Australian Privacy Act 1988.  Such organisations and agencies include businesses, health service providers, credit reporting agencies, Australian government agencies, TFN recipients, and not-for-profits with an annual turnover of $3 million or more.

If an organisation …

• Collects personal information,
• Receives personal information on behalf of clients,
• Processes personal information on behalf of clients,
• Or holds personal information

Then they can be impacted by the NDB scheme.

If a breach occurs, the organisation and everyone involved in the chain can be affected, including marketers, data providers, brands, agencies, and similar partners.  In addition, if an organisation has clients, those clients may impose notification requirements to make sure they are in compliance with their own NDB obligations.

What Is an Eligible Data Breach?

Data breaches refer to unauthorised access of, the disclosure of, or loss of an individual’s information. If a data breach involves an individual’s personal information and this breach is likely to result in serious harm to said individual, then that breach must to be reported. This type of data breach is referred to as an eligible data breach.  Note that there are, however, some exceptions to the notification obligations.

What Constitutes Serious Harm?

While no hard and fast definition of “serious harm” has been provided, it is reasonable to assume that any type of harm – be it physical, psychological, or financial – would likely fall under the category of serious.  This is especially true of information of a sensitive nature or involving an individual’s health.  For example, loss of information involving medical allergies could result in life-threatening circumstances for an individual in a serious accident, or unauthorised access to financial information could result in identity theft and financial loss.

What Should Be Done When a Data Breach Is Suspected?

If a data breach is suspected, there are four key steps to be followed: contain, assess, notify, and review.  Of course, as soon as a data breach is suspected it should be contained to prevent any additional compromise of information.  Next, it should be thoroughly assessed by determining who was affected and what data was compromised, followed by risk assessment and, if possible, remediation.  The third step is notification. The final step is a review of the incident and developing a plan of action to prevent a similar breach from occurring again.

Who Needs to be Notified?

According to the Office of the Australian Information Commissioner,

“The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.”

In addition, the Australian Information Commissioner must also be notified of the breach, and this information can be submitted via an online form.

When Must Notification Take Place?

Notification must take place as soon as the organisation can determine what information was compromised and who was affected.

What Information Must Needs to be Included?

The following information must be included as part of the notification:

• The identity and contact information for the organisation
• A description of the data breach that took place
• The type of information that was involved in the breach
• Recommendations as to what steps the affected individual should take as a result of the breach

In terms of notifying individuals, there are two basic options available as to how the notification should take place: either notify all individuals or notify only the individuals who are at risk of serious harm.

If it is not practicable to notify individuals, then a statement about the breach can be published on the organisation’s website and then publicised.

What Happens When an Organisation Fails to Notify?

If an organisation fails to notify the affected individuals and the Australian Information commissioner of an eligible breach, fines of up to $2.1 million are possible.  However, there is also the possibility of compensation for affected individuals if there is a privacy compliance failure.  Compensation averages between $10,000 and $15,000 per individual if their complaint is successful.

Conclusion

Mandatory data breach notification is a critical part of the Notifiable Data Breach scheme, and failure to comply with notification requirements can result in hefty fines and compensation for those affected.  If you are an organisation in Australia that deals with any type of personal information, then you need to know what your responsibilities are and how to respond should an eligible data breach occur under your watch.

As providers are all too well aware, their payments from Medicare are affected by their score in the Merit-based Incentive Payment System (MIPS). MIPS imposes a number of requirements; if these are not met, payments may be reduced or denied.

The MIPS requirements apply to all Medicare claims, even those whose performance is not necessarily affected by a MIPS constraint. Among these universal requirements is the meaningful use of electronic health records (EHRs). Within the EHR requirements, we have the promotion of interoperability with other EHR systems, and within that, we have the security requirements. Among the security requirements is an annual security risk assessment.

What Has Changed?

In the Federal Register of July 27, 2018, the Centers for Medicare and Medicaid Services (CMS) proposes that the current security risk assessment requirement in MIPS be replaced. The suggested replacement will be an attestation to the activities included in the security risk assessment standard that has been performed in the past MIPS year.

This essentially switches the scoring of the security risk requirement from the equivalent of a numeric grade to a pass/fail scoring system. A practice or institution passes if it has done the assessment; how well it has done on the assessment falls by the wayside. The requirements are stated in a bare-bones fashion in the Code of Federal Regulations at 45 CFR 164.308.

CMS states that their rationale is, in part, a result of the realization that a risk assessment is done well, or not at all.

What A Serious Risk Assessment Entails

The thinking behind this can be found in the Office of Civil Rights (OCR) newsletter for April 2018.  This newsletter distinguishes a gap analysis (“find the holes”) from a security risk assessment (“make sure there are no holes”). It is a highly useful guide to discerning the scope and the level of effort required for a serious risk assessment.

An article on the HHS website goes into greater detail explaining what is subject to the security rules and why:

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

The guidance issues from OCR noted that the CFR requirements are divided into two categories: required and addressable.

The addressable requirements are not optional. Rather, if the approach specified in an addressable requirement is not feasible, the provider organization must develop an effective alternative to approach to achieve the same end and document this. The tendency to document-but-not-implement should be firmly resisted.

Did You Really Do A Risk Assessment?

Experts suggest that OCR has significantly underestimated the time required to do a serious risk assessment. Obviously, you have to look at hardware-associated risks. Are the BIOS files in your desktops and laptops updated? Has router firmware been updated?

 

You must take a hard look at software-associated risks as well. Are operating systems patched? You must strategically assess administrative risks: are you enforcing complex password requirements? Are you using biometric identifiers? Is data access truly on a need-to-know basis?

A Helicopter-Level View Is Not Adequate

The reader may protest that those concerns are nowhere to be found in the guidance. True. The point is that an adequate risk assessment will have revealed these as questions that need to be asked on a day-to-day operational basis. A risk assessment that is not dynamic misses all the critical points of vulnerability.

A risk assessment should point out any unnecessary risks and then offer a solid plan to eliminate them. It’s good to remember that the whole point of the endeavor is to make sure that the government (and all organizations) move toward the better Internet and network security. With cyber breaches occurring on almost a daily basis, there’s every need to be more cautious about how we handle, store, and transmit Big Data.

The current cost of a data breach has reached between $1.3 million and $3.5 million. The number one most sought-after data that hackers are vying for is healthcare information. On the Dark Web, 30,000 up-to-date healthcare records will fetch a pretty price.

Conclusion

Under this proposed rule change, you will no longer be given a percent of compliance score on your risk assessment. You will simply be in or out of compliance. The upside is less administrative hassle; all you have to do is carry out the activities and attest that you did this. The downside is that this may lead to a relaxation of vigilance at a time when threats are constantly increasing.