Based on your readings and research findings, write a 3- to 5-page paper that includes a plan for the ‘strategy’ that you would consider adopting to ensure the integrity of healthcare infor

74 ◾ Information Governance for Healthcare Professionals

Chapter Summary: Key Points ◾ Information risk planning is an essential activity in IG programs ◾ Healthcare organizations face major risks from data breaches, ransomware attacks, HIPAA

compliance, and other legal risks. ◾ In identifying information requirements and risks, legal requirements trump all others. ◾ The risk profile is a high-level, executive decision input tool which helps to gauge risks. ◾ A common risk profile method is to create a prioritized or ranked “Top Ten” list of greatest

risks to information. ◾ Once a list of risks is developed, grouping them into basic categories (e.g. natural disaster,

technology, compliance) helps stakeholders better understand them. ◾ The risk mitigation plan develops risk reduction options and tasks to reduce specified risks. ◾ Expected value is a calculation to determine the relative financial impact of a specified risk. ◾ Metrics are required to measure progress in the risk mitigation plan. ◾ Audits provide feedback on the progress of the risk mitigation plan.

notes 1. Elizabeth Snell, “The Role of Risk Assessments in Healthcare,” Health IT Security, https://healthitse-

curity.com/features/the-role-of-risk-assessments-in-healthcare. 2. “Summary of the HIPAA Security Rule,” Office for Civil Rights (OCR), last reviewed July 26, 2013,

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. 3. Eric Basu, “Implementing A Risk Management Framework For Health Information Technology

Systems – NIST RMF,” Forbes.com, August 3, 2013, http://www.forbes.com/sites/ericbasu/2013/08/03/ implementing-a-risk-management-framework-for-health-information-technology-systems-nist- rmf/#23e63d46523a.

4. Ryan Francis, “Ransomware Makes Healthcare Wannacry,” CSOOnline, May 15, 2017, https://www. csoonline.com/article/3196827/data-breach/ransomware-makes-healthcare-wannacry.html.

5. “HIPAA Fines Listed by Year,” Compliancy Group, https://compliancy-group.com/hipaa-fines- directory-year.

6. Sarah Kuranda, “The 10 Biggest Data Breaches Of 2016 (So Far),” CRN.com, July 28, 2016, http:// www.crn.com/slide-shows/security/300081491/the-10-biggest-data-breaches-of-2016-so-far.htm/ pgno/0/1.

7. “HIPAA Fines Listed by Year,” Compliancy Group, https://compliancy-group.com/hipaa-fines- directory-year.

8. Ibid. 9. Ibid. 10. Jessica Davis, “Ransomware Accounted for 72% of Healthcare Malware Attacks in 2016,” Healthcare

IT News, April 27, 2017, http://www.healthcareitnews.com/news/ransomware-accounted-72- healthcare-malware-attacks-2016.

11. Thomas Fox-Brewster, “Medical Devices Hit by Ransomware for the First Time in US Hospitals,” Forbes.com, May 17, 2017, https://www.forbes.com/sites/thomasbrewster/2017/05/17/ wannacry-ransomware-hit-real-medical-devices/#3956264c425c.

12. Jonathan Crowe, “How One Ransomware Attack Cost Erie County Medical Center $10 Million,” Barkly. com, August 2017, https://blog.barkly.com/10-million-dollar-ecmc-hospital-ransomware-attack.

13. Ibid. 14. “Code of Federal Regulations,” U.S. Government Publishing Office (GPO), www.gpo.gov/help/

index.html#about_code_of_federal_regulations.htm.

F., S. R. (2018). Information governance for healthcare professionals : A practical approach. Productivity Press. Created from franklin-ebooks on 2022-09-07 22:14:07.

C op

yr ig

ht ©

2 01

8. P

ro du

ct iv

ity P

re ss

. A ll

rig ht

s re

se rv

ed .

65

Chapter 8

information Risk Planning and Management

Information risk planning is a key Information Governance (IG) program activity. In health- care organizations, risk analysis is a HIPAA regulatory obligation as part of the administrative

safeguard requirement.1 According to the Health and Human Services website, “Risk analysis should be an ongoing

process, in which a covered entity [healthcare provider, plan, or clearinghouse] regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effec- tiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”2

Often organizations have identified risks to information but have not taken the appropriate risk assessment and mitigation steps to counter those risks.

Information risk planning requires that the organization take a number of specific steps in identifying, analyzing, and countering information risks:

1. Identify risks. Conduct a formal process of identifying potential vulnerabilities and threats (both external and internal) to information assets.

2. Assess impact. Determine the potential financial and operational impact of the identified adverse events.

3. Determine probability. Weigh the likelihood that the identified risk events will materialize. 4. Countermeasures. Create high-level strategic plans to mitigate the greatest risks. 5. Create policy. Develop strategic plans into specific policies. 6. Establish metrics. Determine metrics to measure risk reductions from mitigation efforts. 7. Assign responsibilities. Identify those who are accountable for executing the new risk miti-

gating processes and maintaining the processes in place. 8. Execute plan. Execute the information risk mitigation plan. 9. Audit, review, adjust. Audit the information risk mitigation plan and make adjustments.

These risk mitigation efforts must be audited and tested periodically not only to ensure con- formance to the policies, but also to provide a feedback loop to revise and fine-tune policies and optimize business processes.

Information Governance for Healthcare Professionals Information Risk Planning and Management

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-09-07 22:14:48.

C op

yr ig

ht ©

2 01

8. P

ro du

ct iv

ity P

re ss

. A ll

rig ht

s re

se rv

ed .

66 ◾ Information Governance for Healthcare Professionals

Some key benefits to healthcare providers that flow from this information risk planning process include:

◾ Protection and preservation of information assets; ◾ Reduced deaths and injury due to medical mistakes; ◾ Protection of the organization’s reputation and brand; ◾ Organizational “defense in depth” for privacy and security; ◾ A direct connection to enterprise information security (cyber-security) practices which help

to assure patient privacy; ◾ Privacy controls that are clearly defined which reduce risks and support compliance efforts; ◾ Privacy requirements that are measurable and enforceable; ◾ Accountability in cyber-security and privacy processes.3

the Risk Planning Process The risk planning steps, delineated in more detail, are:

Step 1: Conduct a Formal Process of Identifying Potential Vulnerabilities and Threats

Breaches. A key threat to all healthcare organizations is major data breaches. Breaches not only compromise patient ePHI but they also represent a breach of patient trust, which damages the institution’s reputation. And it can be financially costly. Data breaches cost the healthcare industry $6.2 billion in 2016, according to the Ponemon Institute.4

In 2017, Metro Community Provider Network was fined $400,000 by the Office of Civil Rights (OCR) for overlooking risks that lead to a data breach. Other recent breaches include:

◾ In 2017, Presence Health was fined $475,000 by OCR for lack of timely breach notification to patients.

◾ Also in 2017, Centene, a multi-line healthcare enterprise, announced that nearly one million members may have been impacted by a data breach.5 The breach was caused by the simple loss of hard drives that contained patient ePHI and PII.6

◾ In 2016, St. Joseph’s Health settled a class action lawsuit at a cost of $7.5 million for a 2012 data breach that affected over 30,000 of its patients. St. Joseph’s was also fined $2.14 million by OCR in October 2016.7

HIPAA Violations. Another major risk facing healthcare institutions is HIPAA violations and the potential for large fines. These have not only immediate financial impact but also can erode the orga- nization’s reputation in the marketplace, which would impact future revenues and even shareholder equity value. There are many examples of major fines; below are a few recent examples (Table 8.1):

HiPAA and Business Associate Agreements HIPAA regulations are often violated by not having business associate agreements in place,

according to the OCR. A business associate agreement (BAA) is a standing contract between a

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-09-07 22:14:48.

C op

yr ig

ht ©

2 01

8. P

ro du

ct iv

ity P

re ss

. A ll

rig ht

s re

se rv

ed .

Information Risk Planning and Management ◾ 67

healthcare provider and third-party organizations providing services to that provider. The BAA is intended to safeguard PHI and patient privacy.8

Determining which contractors qualify as a HIPAA business associate can be challenging. Those who interact with or come in contact with PHI certainly qualify. In early 2016, the U.S. Department of Health and Human Services released guidance for software developers to assist in making the business associate determination.

Organizations typically underestimate the proliferation of PHI, or rather, ePHI. This is due to the fact that it is quite easy to duplicate electronic data, and most organizations are not actively using file analysis or data loss prevention (DLP) software to scan their electronic storage systems to locate incidences of PHI so it may be accounted for, tracked, and secured. This causes many healthcare organizations to be non-compliant with HIPAA requirements. Compounding this issue is the use of PHI in various departmental applications, and the increasing use of mobile devices, especially bring-your-own-device (BYOD).9

Ransomware. Ransomware is a newer type of risk that healthcare organizations face. Ransomware attacks typically occur when hackers intrude computer systems and lock down patient files with encryption, and then demand a fairly modest (although this has been increas- ing) ransom payment to unlock the files. Ransomware attacks were classified as breaches in a July 2016 statement by the Health and Human Services Office for Civil Rights (OCR). The OCR went further and stated that ransomware attacks are subject to the HIPAA Breach Notification Rule.

Ransomware attacks on healthcare institutions continue to increase and become more aggres- sive. According to the Verizon 2017 Data Breach Report, more than two-thirds (72%) of malware attacks in the healthcare industry were caused by ransomware.10 A report by Symantec supported Verizon’s findings, stating that in 2016 alone, ransomware attacks increased by 36% in healthcare.

Perhaps the most widespread ransomware attack ever occurred in May 2017 with the WannaCry attacks that infected over 200,000 Windows systems including computers at 48 hos- pital trusts in the United Kingdom, crippling operations. The attack spread to European countries and to the U.S., and even included attacks that compromised medical devices.11

Hackers know that daily hospital operations depend on IT systems and that often management will decide to pay rather than disrupt operations. In early 2017, Hollywood Presbyterian declared an internal emergency and paid $17,000 to rogue hackers to unlock their files. The hospital was

table 8.1 Major HiPAA Fines in 2017

Date organization Cause Fine

January 2017 MAPFRE HIPAA settlement demonstrates importance of implementing safeguards for ePHI

$2.2 M

February 2017 Children’s Medical Center of Dallas

Lack of timely action risks security $3.2 M

February 2017 Memorial Healthcare Systems

Lack of enforced audit controls $5.5 M

April 2017 CardioNet Lack of understanding of HIPAA requirements

$2.5 M

May 2017 Memorial Hermann Health System (MHHS)

PHI disclosure $2.4 M

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-09-07 22:14:48.

C op

yr ig

ht ©

2 01

8. P

ro du

ct iv

ity P

re ss

. A ll

rig ht

s re

se rv

ed .

68 ◾ Information Governance for Healthcare Professionals

able to resume normal operations. But another hospital took the opposite approach. Erie County Medical Center (ECMC) in Buffalo, New York, was hit with a ransomware attack—but man- agement decided not to pay the $30,000 ransom, and to go to manual operations until every computer could be scanned, cleaned, and restored.12 The disruption lasted over six weeks and cost ECMC nearly $10 million.

Hackers are getting more sophisticated and savvy. They recently introduced Ransomware‑as‑a‑ Service kits that they sell to other rogue operators, which can be customized to hit a particular target. Often the developer of the kit will take a percentage of the proceeds of successful ransomware attacks.13

Compliance and Legal Risks There are additional compliance and legal risks to identify and research. Federal, provincial,

state, and even municipal laws and regulations may apply to the retention period for business or patient information. Organizations operating in multiple jurisdictions must maintain compliance with laws and regulations that may cross national, state, or provincial boundaries. Legally required privacy requirements and retention periods must be researched for each jurisdiction (state, coun- try) in which the business operates, so that it complies with all applicable laws.

Legal counsel and records managers (or the IG Lead) must conduct their own legislative research to apprise themselves of mandatory information retention requirements, as well as pri- vacy considerations and requirements, especially in regard to PHI and PII. This information must be analyzed and structured and then presented to legal staff for discussion. Then further legal and regulatory research must be conducted, and firm legal opinions must be rendered by the organi- zation’s legal counsel regarding information retention, and privacy and security requirements in accordance with laws and regulations. This is an absolute requirement. The legal staff or outside legal counsel should provide input as to the Legal Hold Notification (LHN) process, provide opinions and interpretations of law that applies to a particular organization, and provide input on the value of formal records to arrive at a consensus on records that have legal value to the organiza- tion, and to construct an appropriate retention schedule.

Legal requirements trump all others. The retention period for PHI data or a particular type of record series must meet minimum retention, privacy, and security requirements as mandated by law. Business needs and other considerations are secondary. So, legal research is required before determining and implementing retention periods, privacy policies, and security measures. In iden- tifying information requirements and risks, legal requirements trump all others.

In order to locate the regulations and citations relating to retention of records, there are two basic approaches. The first approach is to use a Records Retention Citation Service, which pub- lishes in electronic form all of the retention-related citations. These services are usually purchased on a subscription basis, as the citations are updated on an annual or more frequent basis as legisla- tion and regulations change.

Another approach is to search the laws and regulations directly, using online or print resources. Records retention requirements for corporations operating in the United States may be found in the Code of Federal Regulations (CFR). “The Code of Federal Regulations (CFR) annual edi- tion is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the federal government. It is divided into 50 titles that represent broad areas subject to federal regulation.”14

For governmental agencies, a key consideration is complying with requests for information as a result of the U.S. Freedom of Information Act (FOIA), Freedom of Information Act 2000

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-09-07 22:14:48.

C op

yr ig

ht ©

2 01

8. P

ro du

ct iv

ity P

re ss

. A ll

rig ht

s re

se rv

ed .

Information Risk Planning and Management ◾ 69

(in the U.K.), and similar legislation in other countries. So the process of governing information is critical to meeting these requests by the public for governmental records.

Step 2: Determine the Potential Financial and Operational Impact of the Identified Adverse Events

Benchmarking data from peer organizations provides reasonable projections of potential financial and operational impact. A list of major breaches and ransomware attacks and their costs should be considered in the calculations of financial impact. Also, a list of major HIPAA non- compliance fines at peer organizations provides a baseline for estimating the potential cost of violations. These estimates should then be normalized and brought into line with the size of an organization, with considerations given to the competitive, regulatory, and economic environment within which it operates.

Step 3: Weigh the Likelihood that the Identified Risk Events will Materialize

In this step, percentages are assigned to the potential adverse events that have been identified. Whereas a major breach event could cost the organization, say, $5 million dollars, its likelihood may be low, in the 3%–5% range. Risk management professionals may use certain methodologies to assess the likelihood that an event may occur. Or senior management may have internal models developed to assess risk likelihood. Absent standard methodologies, the IG steering committee should utilize their experience and information from external input to assess the likelihood that an adverse event may occur.

Once percentages have been assigned, an “expected value” (EV) calculation can be made. For instance, if a major breach would cost $5 million dollars, and its likelihood is 5%, then the expected value of the financial impact of that event for planning and risk-ranking purposes is:

EV = × =$ , , % $ ,5 000 000 5 250 000

If the exposure from a HIPAA violation has led to fines in the $2 million range, but the organi- zation holds a fairly weak compliance posture, perhaps the likelihood is 10%. The EV calculation would then be:

EV = × =$ , , % $ ,2 000 000 10 200 000

And in like manner the potential financial impact of other identified risk events may be calcu- lated, so they can then be ranked and prioritized. This gives executive management the informa- tion they need to make budget decisions. Certainly, the risks that are most likely to have a greater financial impact are those that must be mitigated as a priority.

Many organizations create a formalized risk profile to more accurately assess risks the orga- nization faces.

Creating a risk profile is a basic building block in enterprise risk management (yet another “ERM”), which assists executives in understanding the risks associated with stated business objec- tives, and allocating resources, within a structured evaluation approach or framework. There are multiple ways to create a risk profile, and how often it is done, the external sources consulted, and stakeholders who have input will vary from organization to organization.15 A key tenet to bear

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-09-07 22:14:48.

C op

yr ig

ht ©

2 01

8. P

ro du

ct iv

ity P

re ss

. A ll

rig ht

s re

se rv

ed .

70 ◾ Information Governance for Healthcare Professionals

in mind is that simpler is better, and that sophisticated tools and techniques should not make the process overly complex.

According to ISO, risk is defined as “the effect of uncertainty on objectives” and a risk pro‑ file is “a description of a set of risks.”16 Creating a risk profile involves identifying, documenting, assessing, and prioritizing risks that an organization may face in pursuing its business objectives. Those associated risks can be evaluated and delineated within a risk or IG framework.

The corporate risk profile should be an informative tool for executive management, the CEO, and the board of directors, so it should reflect that tone. In other words, it should be clear, succinct, and simplified. A risk profile may also serve to inform the head of a division or subsidiary, in which case it may contain more detail. The process can also be applied to public and nonprofit entities.

The time horizon for a risk profile varies but looking out three to five years is a good rule of thumb.17 The risk profile typically will be created annually, although semi-annually would serve the orga- nization better and account for changes in the business, legal, and technology environment. But if an organization is competing in a market sector with rapid business cycles or volatility, the risk profile should be generated more frequently, perhaps quarterly.

There are different types of risk profile methodologies, with a “Top Ten” list, risk map, and heat map being commonly used. The first is a simple identification and ranking of the 10 greatest risks in relation to business objectives. The risk map is a visual tool that is easy to grasp, with a grid depicting a likelihood axis and an impact axis, usually rated on a scale of 1–5. In a risk assess- ment meeting, stakeholders can weigh in on risks using voting technology to generate a consensus. A heat map is a color-coded matrix generated by stakeholders voting on risk level by color (e.g. red being highest).

Information gathering is a fundamental activity in building the risk profile. Surveys are good for gathering basic information, but for more detail, a good method to employ is direct, person- to-person interviews, beginning with executives and risk professionals.18 Select a representative cross-section of functional groups to gain a broad view. Depending on the size of the organization, you may need to conduct 20–40 interviews, with one person asking the questions and probing, while another team member takes notes and asks occasionally for clarification or elaboration. Conduct the interviews in a compressed timeframe—knock them out within one to three weeks and do not drag the process out, as business conditions and personnel can change over the course of months.

There are a number of helpful considerations to conducting successful interviews. First, pre- pare some questions for the interviewee in advance, so they may prepare and do some of their own research. Secondly, schedule the interview close to their office, and at their convenience. Thirdly, keep the time as short as possible, but long enough to get the answers you will need; approximately 20–45 minutes. Be sure to leave some open time between interviews to collect your thoughts and prepare for the next one. And follow up with interviewees after analyzing and distilling the notes to confirm that you have gained the correct insights.

The information the IG team will be harvesting will vary depending on the interviewee’s level and function. You will need to look for any hard data or reports that show performance and trends related to information risk. There may be benchmarking data available as well. Delve into information access and security policies, policy development, policy adherence, and the like. Ask questions about the EHR and ePHI and privacy risks. Ask about retention of e-mail and legal hold processes. Ask about records retention and disposition policies. Ask about long-term preser- vation of digital records. Ask about their data deletion policies. Ask for documentation regarding IG-related training and communications. Dig into policies for access to confidential data and vital records. Try to get a real sense of the way things are run, what is standard operating procedure,

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-09-07 22:14:48.

C op

yr ig

ht ©

2 01

8. P

ro du

ct iv

ity P

re ss

. A ll

rig ht

s re

se rv

ed .

Information Risk Planning and Management ◾ 71

and also how workers might get around overly restrictive policies, or operate without clear policies. Learn enough so that you can grasp the management style and corporate culture, and then distill that information into your findings.

Key events and developments must also be included in the risk profile. For instance, loss or potential loss of a major lawsuit, or pending regulatory changes that could impact your IG poli- cies, or a change in business ownership or structure must all be accounted for and factored into the information risk profile. Even changes in governmental leadership should be considered, if they might impact IG policies. These types of developments should be tracked on a regular basis, and should continue to feed into the risk equation.19 You must observe and incorporate an analysis of key events in developing and updating the risk profile.

At this point, it should be possible to generate a list of specific potential risks. It may be useful to group or categorize the potential risks into clusters such as natural disaster, regulatory, safety, competitive, technological and so forth. Armed with this list of risks, you should solicit input from stakeholders as to likelihood and timing of the threats or risks. As the organization matures in its risk identification and handling capabilities, a good practice is to look at the risks and their ratings from the previous years to attempt to gain insights into change and trends—both external and internal—that affected the risks.

Step 4: Create High-Level Strategic Plans to Mitigate the Greatest Risks

After identifying the major risk events the organization faces and calculating the potential financial impact, the IG Steering Committee must develop possible countermeasures to reduce the risks, and their impact if they do occur. This m

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.