Ensuring Security, Privacy, and

Compliance While Creating

Value With Healthcare IT
A step by step approach

6450 Via Real, Suite 3

Carpinteria,CA 93013
800-721-9177
805-684-6858
www.redspin.com White Paper
Ensuring Security, Privacy, and Compliance
While Creating Value With Healthcare IT
A step by step approach to meeting security,
privacy, and compliance goals through a focus
on value creation.
Spiraling costs and a lack of global competitive-
ness are often cited as major problems with the
U.S. healthcare system. Information technology
can be a significant part of the solution to these
problems. In fact, industry leaders and the gov-
ernment sector have begun to focus resources,
management attention, and funding towards IT
investments. Yet historically, IT has been viewed
as a cost center rather than as an investment. As
an element of that cost center, spending on IT
security, privacy, and compliance has been typi-
cally budgeted at the minimum level necessary to
meet regulatory requirements. A new perspective
is required, where investing in IT is understood to
create value by increasing competiveness, lowering
costs, and increasing the quality of patient care. IT
thus becomes a large part of the solution to the
problems facing the healthcare industry.
This paper examines a general process for manag-
ing healthcare IT investments and specifically out-
lines a step by step approach to meeting security,
privacy, and compliance goals through a focus on
value creation and risk management. Information
security programs in the healthcare sector have of-
ten been driven by reactive approaches and ad hoc
compliance oriented processes. These approaches
view “success” as avoiding security incidents and
passing compliance audits with the minimum
amount of investment. We will examine why this
approach is unsustainable and show how it be-
lies widely-accepted risk management principles.
Instead, we will offer a results-oriented alterna-
tive that ensures security, compliance, and privacy
programs that support the overall healthcare IT
mission of creating value and meeting business
objectives.
From electronic health record adoption to clinical
workflow automation, healthcare increasingly runs
on information. Yet, healthcare has traditionally
lagged other industry segments in terms of IT
spending. As a percent of revenue, IT spending
represents just over 5% for the healthcare industry
segment versus 11% for financial services (For-
rester Research). More importantly IT spending
in healthcare has not been aligned with achieving
objectives. Given the rising demands for overall
transformation of the healthcare industry and the
competitive pressures on U.S. provider organiza-
tions, healthcare urgently needs the improvements
IT can enable. Information security must play a
central role in this transformation both in terms of
ensuring patient trust through proper use of their
data and protecting the business from threats rang-
ing from cyber crime to brand damage associated
with data breaches.
Value Oriented, Performance Driven
Fortunately, this transition to value-oriented, per-
formance driven healthcare is underway in several
leading providers such as Kaiser Permanente, Part-
ners Healthcare System and Geisinger. A common
denominator among these companies is that IT
and the information security program are viewed
as creating value rather than cost centers. From a
process perspective these leaders have also devel-
oped similar methods for aligning IT investments
with value to the business. This involves defining a
set of observable, quantifiable operational metrics.
Broad categories include benefits to patient safety,
quality of care, staff productivity, employee satis-
faction, revenue enhancement, and cost optimiza-
tion. In this manner IT investments are evaluated
in terms of how well they help the organization
meet business objectives. Another critical common
factor in these organizations is a system of risk
management for continuously optimizing security,
privacy, and compliance initiatives. Throughout the
rest of this paper we will discuss the step by step
www.redspin.com l Page 1
process of deploying a successful information risk
management program.
The major steps associated with a successful infor-
mation risk management program are as follows:
1. Organizing for performance
2. Assessing risk
3. Decision analysis
4. Policy implementation
5. Measuring program effectiveness
6. Repeat steps 2-5, adjust the organization
defined in step 1 to evolving business re-
quirements
The first step in the process involves organizing
for performance. There are two critical compo-
nents for success. The first component is execu-
tive sponsorship. Executive sponsorship is not
a passive role. The executive sponsor is typically
the CIO or CISO and is responsible for funding,
authority, and support of the information risk
management program. This role also serves as
the final escalation point to define acceptable risk
to the business. The second critical component
for success is integration of the information risk
management program with the rest of the orga-
nization. A program that does not leverage other
functional units will have difficultly aligning with
business goals and ultimately fail.
A successful organizational structure for carrying
out the step by step information risk management
plan outlined above is shown in Figure 1.
Organizing For Performance (Figure 1)
The objective of the information risk management
program is to minimize risk to information that
is critical to the business while enabling business
goals. The primary interactions in this area are
with the line of business, finance, and legal teams.
The security team must codify the net results in
terms of policy that will drive operational as well
as quality and performance management decisions.
Information security management is owned by the
security team but interacts and primarily leverages
operations, IT, and HR. Information generated
at this point contributes to the overall picture of
situational awareness that guides both the business
and the information risk management program.
The security relevant aspects of quality and perfor-
mance management for the business are owned by
the security team but must work with the audit, de-
velopment, and QA teams. This function generates
the reporting metrics (e.g. compliance to internal
policies and regulatory requirements) that drive
decisions for the business and the security team
as well as contributing to the overall situational
awareness picture. The overall output of this cycle
is not simply to protect information but to allow
better decisions to be made that drive the business
forward.
www.redspin.com l Page 2
With this organization in place the information PHI/PII Risk Indication (Figure 2)
risk management program can be set in motion.
Before describing the process in detail it is useful
to consider alternative approaches. With pressure
to meet the more stringent regulatory requirements
imposed by the HITECH act, urgent deadlines to
meet meaningful use requirements, and the need
to react to day to day incidents, it is easy for a
program to become derailed. Let’s consider the re-
quirements required to comply with the HITECH
act. Organizations must do the following:

• Implement a data classification policy that

describes the processes used to identify, classify,
store, secure, and monitor access to PHI data.

• Implement a process to detect a potential data

breach and carry out an incident response plan.

• Implement a notification process to inform Developing a broader view of risk to the business
affected parties after a discovery of a breach allows the information risk management team to
of security to PHI without unrea-sonable delay. avoid acting narrowly. For example, rather than a
siloed effort to develop policies and implement
• Implement policies, processes, and procedures controls to comply with the HITECH Act, a pro-
for security awareness and training. gram can be put in place that addresses the unified
regulatory requirements associated with PHI/PII
• Encrypt PHI data – at rest and in transit. data.

Immediately launching an effort to address these Now let’s examine each of the steps to carry out
requirements is tempting, but fraught with peril. the information risk management program. The
Many HIPAA security programs focused on creat- continuous nature of this process is illustrated in
ing policies and procedures as a starting point. Figure 3.
Frequently, there was a disconnection between
policies and actual technical and procedural safe- Risk Management Process (Figure 3)
guards. Further, there is not a clear understanding
of the broader risk picture and integration with the
business context. A more informed view is shown
in Figure 2.

www.redspin.com l Page 3
Step 1. Assess Risk a. Ensure that policy specifications are enforce-
The first step in the process involves identification able.
and prioritization of risks to the business.
b. Apply a comprehensive approach that inte-
a. Plan data gathering. Identify key success grates process automation, people, and tech-
factors and preparation guidance. nology in the mitigation solution.

b. Gather risk data. Outline the data collection c. Focus on defense in depth by coordinating
process and analysis.
c. Prioritize risks. Use qualitative and quantitative
risk analysis to drive prioritization.
Step 2. Decision Analysis
The second step covers the processes for evaluat-
ing requirements, understanding possible solutions,
selecting controls, estimating costs, and choosing
the most effective mitigation strategy.
application, system, data, and network controls
to meet business objectives.
d. Communicate policies and control responsibili-
ties throughout the organization.
Step 4. Measure Effectiveness
The fourth step consists of developing and dis-
seminating reports as well as providing managment
a dashboard to understand program effectiveness.

a. Define functional requirements to mitigate a. Develop and continuously update a manage

risks. ment dashboard that summarizes the organiza-
tion’s risk profile.
b. Outline possible control solutions. Keep in
mind that these include not only technical con- b. Report on changes under consideration and
trols but people-driven processes (e.g., separa- summarize changes that are underway.
tion of duties) and service level agreements.
c. Communicate the effectiveness of the control
c. Estimate risk reduction. Understand the solutions in mitigating risk.
probability of risks and the impact of reduced
exposure. d. Report on the existing environment in terms
of threats, vulnerabilities and risk profile.
d. Estimate solution cost. Reflect direct and
indirect costs associated with mitigation Key Success Factors
solutions. As noted earlier a major element contributing
to the success of an information risk manage-
e. Choose mitigation strategy. Complete a cost- ment program is involvement of functional units
benefit analysis to identify the most effective throughout the organization. The information risk
mitigation solution. management team needs to take responsibility for
educating the organization on the process and de-
Step 3. Policy Implementation veloping the thorough understanding of risk that
The third step addresses policy implementation will allow the business to take specific action when
and the acquisition and deployment of controls to managing it.
carry out the policy.

www.redspin.com l Page 4
An effective method to get this process underway
is to view risk across four simple categories. This
provides a straightforward way to clarify trad-
eoffs and make decisions. These categories can be
thought of as the four A’s:
Availability: This means keeping the systems run-
ning. IT needs to communicate regularly to execu-
tive staff on the availability risk to major business
processes and ensure there is a business continuity
plan in case of failure.
Access: This is defined as ensuring access to
systems and data. IT is responsible for provid-
ing the right people with the access they need and
ensuring that sensitive information is not misused.
The IT organization must regularly discuss risks
associated with data loss, privacy violations, and
inappropriate use.
Accuracy: This means providing complete, timely
and correct information that meets the require-
ments of customers, suppliers, regulators and
management. Compliance with HIPAA/HITECH
and Sarbanes-Oxley are common sources of ac-
curacy risk for enterprises in the United States.
IT should review with management the sources of
accuracy risk (and risk mitigation programs) such
as the inability to get an accurate, consistent view
of patient records or clinical workflow effective-
ness.
Agility: This is defined as the ability to make the
necessary business changes with appropriate
cost and speed. A specific example of agil-
ity risk would be the delay or cancellation of
a merger because of the risk of integrating IT
systems. The IT organization needs to dis-
cuss these risks so that management can make
informed decisions and not hedge their bets be-
cause they don’t believe IT can deliver on time.
Another area to look at is consistent usage of
risk severity levels and the associated actions. At
Redspin we use five levels:
• Critical - Corrective measures are required im-
mediately.
• High - Strong need for corrective measures.
An action plan must be put in place as soon as
possible.
• Medium - Corrective actions are needed
and a plan must be developed to incorporate
these actions within a reasonable period of time.
• Low - Management must determine whether
corrective actions are required, or decide to ac-
cept the risk.
• Informational - The issue does not indicate
a material policy violation but is something
for management to consider for enhancing the
overall security posture.
Drive these definitions into risk mitigation pro-
grams, policy specifications and controls.
Next, everyone in the organization needs a clear
and consistent definition of risk. In this context,
risk is the probability of a vulnerability being ex-
ploited in the current environment, leading to a
degree of loss of confidentiality, integrity or avail-
ability of an asset. The diagram shown in Figure
4 illustrates the relationships of each element of
risk.
Component of Risk (Figure 4)
www.redspin.com l Page 5
To illustrate the usage of a risk statement in prac- strongly with management. However, such a pro-
tice let’s look at an example focusing on risk to cess is resource intensive and thus more expensive
PHI data. so broad based coverage is challenging. Therefore,
focusing on high impact areas with quantitative
The assets (what you are trying to protect is PHI) methods and driving coverage with qualitative
approaches tends to produce the best results.
• You need to know where it is, how it is used,
and how it is transported over the network. A final consideration in terms of key success
factors is the timing for repeating the process.
The threats (what are you afraid of happening) Each cycle starts with a new risk assessment. The
frequency will vary from organization to organiza-
• Sophisticated cybercriminals stealing account tion. Many companies find that annual recurren-
credentials, credit card records, or medical ceis sufficient so long as the information security
history to file false claims. team is proactively monitoring for new threats,
vulnerabilities, and assets.
• Hackers using application attacks to gain access
to database records. In summary, you can expect investment in an
information risk management program to bring
• Insiders gathering inappropriate data through important business benefits. Some of these include
misconfigured access control. the following:
The vulnerabilities (how could the threat occur) • Risk reduction allows deployment of new busi-
ness processes that were not previously possible.
• Targeted social engineering attacks; malware
exploiting Adobe .pdf and MS office .doc vul- • Confidence in brand protection can result in
nerabilities new revenue generating programs.

• Application vulnerabilities (e.g., SQL injection,
command injection) • Trust in service availability means that existing
programs can generate more revenue and more
• Misconfigured database access controls profitably.

Current mitigation (what is currently reducing • Confidence in risk mitigation efforts ranging
the risk) from technical controls to effective service level
agreements decrease program launch time.
• Staff
• Clear guidance on security requirements associ-
• Technology ated with new business unit projects accelerates
time to revenue.
• Processes

Another key success factor is development of an

effective methodology for risk assessment. There
are many different approaches but most are quali-
tative or quantitative methods or a combination of
the two. A quantitative approach allows risk to be
expressed with financial values and thus resonates

www.redspin.com l Page 6
How Redspin Can Help
Redspin has invested heavily in the healthcare in-
dustry segment for several years and has built deep
understanding of security, privacy, and compliance
issues. Specific service offerings include:

• HIPAA security risk assessment

• HIE security assessment
• Infrastructure assessment
• Application security assessment

Given our healthcare domain expertise and experi-

ence with security assessments, we can serve as an
effective partner in getting your information risk
management program started or optimizing an
existing program.

About Redspin
Redspin delivers the highest quality information
security assessments through technical expertise,
business acumen, and objectivity. Redspin cus-
tomers include leading companies in healthcare,
financial services, media/entertainment, retail,
and technology. Some of the largest communica-
tions providers and commercial banks rely upon
Redspin to provide an effective managerial, op-
erational and technical solution tailored to their
business context, allowing them to reduce risk,
maintain compliance, and increase the value of
their business unit and IT portfolios.

© Redspin, Inc. All rights reserved. www.redspin.com l Page 7