Episode 23
Allison Jones
Good morning, good afternoon, and good evening, and welcome to the Therapy Matters podcast, your one-stop resource for expert insights and advice on everything therapy and rehab. I’m your host, Allison Jones, and today I’m joined by Scott Owens, the founder and owner of BluTinuity. Scott, thank you for joining me today.
Scott Owens
Thank you for having me, Allison. I’m excited for our discussion.
Allison Jones
Me too. So, Scott, to help set the stage for today’s conversation, just take a few minutes to give our audience some background on who you are and tell us a little bit about BluTinuity.
Scott Owens
I’m happy to do that. I am a management consultant who, first and foremost, is passionate about helping organizations understand their risks and help them plan and prepare for what they hope never happens. I have certifications in information security and privacy through ISACA, business continuity with the Disaster Recovery Institute, and I’m also a certified project manager through the Project Management Institute. All of those have helped me gain a really good understanding of business and how to help organizations.
My company, BluTinuity, really focuses on assessing information and security privacy risks. This includes things like regulatory compliance, technology environments, physical security, people-related risks, and so on. I’ve got about 30 years of experience doing these types of assessments using a variety of security frameworks. HIPAA is the one that everyone’s heard of; of course, CMS, the NIST cybersecurity framework is another very popular security framework, and others. I do dozens of security risk assessments on an annual basis.
Allison Jones
Excellent. Well, thank you for that background. As you mentioned, your team assists organizations in becoming better at understanding risk and protecting their data and assets. That’s what we are going to discuss today. Specifically, what we’re going to dig into a little bit deeper is security risk assessments, or SRAs.
A little bit of background to set the stage for today. Last November, CMS published the calendar year 2024 Physician Fee Schedule Final Rule. It’s a 1,200-page document that spells out the future of regulatory compliance for clinicians who accept Medicare payments. It covers a number of areas, but notably in this ruling, the upcoming MIPS performance year will bring many important changes for the PT, OT, and SLP community. Providers are going to now be required to participate in the Promoting Interoperability category of MIPS. This is something that has, for the past few years, been automatically related, so it’s a big change.
Under the Promoting Interoperability category, there are a number of sub requirements for it to meet the attestation. A few of them are you have to have a minimum reporting period of 180 days. You need to be on a certified EHR. You are required to complete a security risk assessment. Since this can be a newer process for some of our listeners, we want to dive in and learn what a SRA is, why it’s important, how it’s done, how it can help your organization, and everything in between. Sound good?
Scott Owens
Absolutely.
Allison Jones
All right, let’s dive in. First question for you: what is a security risk assessment?
Scott Owens
That’s a great question. The security risk assessment is really a structured approach to evaluating the level of maturity of an organization’s information security program. Typically, it’s measured against a recognized security framework. Earlier, I mentioned the HIPAA security rule, the NIST cybersecurity framework, and ISO 27001. CMS has acceptable risks safeguards that include security and privacy, among many others. But it’s important that you use that as a baseline.
In addition to a gap analysis against one of those security frameworks to make sure that, from a compliance standpoint, you’re on target or that you’re following best practices, you specifically want to make sure that you identify and rank the unique risks to the organization. As an example, one risk that many organizations should be looking at is what would happen to us if we suffered a ransomware attack. and trying to understand, are we really at risk? What’s the likelihood, and what would be the impact of that happening? It’s really two pieces of a puzzle here that are important.
Allison Jones
You mentioned ransomware attacks. How frequently do those happen in health care?
Scott Owens
Quite often. In fact, I subscribe to a number of newsletters where I receive information on all the latest data breaches, and you don’t always know about them. They’re not always public knowledge unless it’s a data breach that involves patient information, in which case the HHS OCR, the Office for Civil Rights, which has the authority to oversee HIPAA, will eventually find out about this because you’re required to report a data breach of that nature. If you have a ransomware event, typically the way those work is that all of your data is encrypted, and the bad guys ask for a ransom, a very large sum of money for you to get your data back. They typically know how much you can afford to spend, either by understanding what your cyber insurance looks like or whether they have an idea of your cash position, so as an organization, really understanding what that risk looks like and then knowing also what you’re going to do when you encounter that.
How often do those happen? Some statistics would say that one in two organizations in the course of a year has some sort of security or continuity incident. Now, that doesn’t necessarily mean ransomware, but it does mean that organizations are at risk for some sort of event that causes widespread outages or concern. The risk is high. It’s probably the single greatest thing that organizations are focused on right now in protecting their data and their assets.
Allison Jones
Health care in particular is one of the leaders in terms of ransomware attacks, correct?
Scott Owens
It is. It’s frightening. There’s a survey that’s done every year by IBM and an organization called the Ponemon Institute, and they survey somewhere in the neighborhood of 4,500 organizations all across the world to better understand data breaches. Through the analysis and all the interviews that they do, and there’s literally thousands of different interviews, the data that comes back identifies a number of key facets. One of them is that the average cost of a data breach in health care in the United States is almost $11 million. Health care is almost 50% higher than any other industry in terms of cost, and the United States is more expensive than any other country in the world. There’s a number of reasons that probably go into those factors, but just based on the sheer cost alone would give you some indication of what that looks like.
Allison Jones
It’s important to have a security risk assessment and understand your vulnerabilities and how to protect against them.
Scott Owens
It absolutely is. I think an organization is not in a position to be able to mitigate or plan for some of these if they haven’t done a risk assessment and they really don’t know what they’re dealing with. Every organization is totally unique. You might say everyone is vulnerable to ransomware, and I would say that’s true. But some organizations have gone to great lengths to reduce their risk. For instance, they might install anti-ransomware software or do extensive training for users because, more often than not, ransomware gets started when someone in your organization clicks on something in an email that they shouldn’t. There are things that can be done. There are good practices that should be in place, but really, it all starts with the risk assessment because you don’t know where to go or where to start unless you have a baseline.
Allison Jones
Walk me through how a security risk assessment is completed.
Scott Owens
Sure. What I’ll share is the methodology that we use at BluTinuity for a security risk assessment. I would say this is a tried-and-true approach that has served us well. We’ve been in business for almost 13 years.
There are a number of pieces to this puzzle. The first one is that we always want to take a look at the documentation that an organization has. We’ll send a document request list, and there could be as many as 100 documents that we’d love to take a look at. That includes policies, procedures, org charts, and really any documentation that is technical in nature that gives us some insight into how well the organization manages its security and privacy. Those will be shared upfront, so we get a chance to really understand the business.
Then we facilitate a series of interviews, which will include various leaders in the organization in major disciplines. Mostly it’s security and technology, but there are a number of question lines that also pertain to controls in human resources and physical security, and so there are some other disciplines that are involved.
We walk through the respective security framework that we agree on is going to be important, and this framework may require, for instance, that we evaluate your password policy and we’ll discuss the specifics of your password policy. What does your written documentation say? How have you implemented it across all of your systems? Is that consistent? If you’re an organization that’s large, for instance, I have a hospital client that might have close to 400 systems that are in use across their system, and their password requirements are not the same all the way across, that could be an area of risk.
We’ll compare what you’ve done to good practice and the standards that have been outlined, and then I’ll offer some coaching through what the expectations are. If you came back to me and said, well, we only have a four-character password on our electronic medical record system, I would say in 1996, that’s probably perfect. It’s better than most. But today, that would be woefully inadequate. We would talk about what’s good for today and some of the things that you would really need to implement, and then how to bridge that gap.
As we get into these interviews, we’ll look at topics like security roles and responsibilities, policies and procedure implementation, risk management strategies, and vendor risk management. Here’s one that really has become important over the last few years: you may have a well-organized security program and a very mature program, but if you’re sharing data with vendors and they have access to some of your systems, do you know that their security is equivalent to yours or at least meets your requirements?
We’ll look at asset management, access controls, training, awareness, incident response, and the very long list of topics that we’ll get into, all while conforming to the cybersecurity standard that we have been talking through and trying to understand all of your assets, systems, software, technology, laptops, tablets, phones, and any device that is in use. We’ve got to understand what that is, where it is, who owns it, and is it secure? Particularly with the work-at-home, remote workforce a lot of organizations have moved to, what you’ve done in effect, and a lot of people won’t like to hear this, is that you’ve extended your corporate network into people’s homes. If you have a device that’s on someone’s personal wi-fi with your cable company or whoever is using a router that you bought at a garage sale, and we have no idea how secure that is, that’s a risk. Organizations really need to understand what that looks like and then maybe think about how to remediate some of that.
As we go through, another thing that’s a major part of this is taking a look at individual risk items. At BluTinuity, we’ve got a risk management register tool. It’s a spreadsheet model that looks at over 125 common risks. As an organization, you may have a list of risks. Maybe you have a matrix like this, and that would be fantastic. But we want to cover a lot of different areas across technology, physical facilities, people, and business risks and put them into a scoring system so that you can understand and prioritize what your risks are.
I use a model that calculates likelihood and impact and a factor that I call velocity, which is how quickly the risk reaches its maximum effect, and we multiply those, and you ultimately end up with a weight or a rating, and you can categorize this as a high, medium, low, or a critical risk, something of that nature. As you do that, what you start to find out is that you may become uncomfortable with some of the scoring.
For instance, we talked about ransomware, and this is a critical risk. You’ve really not attended to it and no one’s had any discussions internally at a leadership level about how we’re going to better prepare ourselves for ransomware, then that’s a question that needs to be asked. Are you ready to accept that risk? Because now you know that this is bad news.
You process through, is it okay if our antivirus software doesn’t work and on and on and on, ultimately to get to a point where people can sleep at night. If you have a hundred risks on here and you can’t accept the risk because you look at it and you say, gosh, this is really too high, this is scary for me, then the organization learned a lot, and it’s time to get a team together to start working through some of these.
Another thing that may be included in an SRA is a technology-focused assessment, a vulnerability scan, where we take a look at whether there are vulnerabilities or missing patches on devices and bring some information back. That’s an optional thing.
A penetration test is another component. Typically, that’s an external consultant who is hired to attempt to break into your system, in effect, and then give you a report back. All this information that we pull ultimately goes into a deliverable report. We’ll have some conversations afterwards about what the next steps are. That’s a deep dive into what a very comprehensive risk assessment looks like.
Allison Jones
Excellent. Thank you for that. There’s a couple of things that I wanted to pull out of that that I think are important to understand. It’s not just about the technology piece of it; in a security risk assessment, you mentioned physical facilities and people. It includes all of those aspects of it, and that’s an important part to understand too, because your people can be just as big of a risk as your technology when we’re talking about phishing, for example. Phishing is a really easy way to break into people’s systems by just sending an email out to somebody that looks like it’s from somebody within your facility, but it’s spoofed, and suddenly, bad actors are in your system. Doing that type of testing or even the facility; I know that, having worked for EHR and EMR companies where we have access to a PHI facility, security is really important, that just the idea of piggybacking when you have badging into a facility and not letting people piggyback.
Scott Owens
Piggybacking is huge.
Allison Jones
For those of you who may not understand what piggybacking is, when you badge into a facility, people that try to come in with you without badging themselves in, that’s called piggybacking.
Scott Owens
It is absolutely a security risk. If you don’t know who that friendly person is who’s following you into the office, you need to know because there’s always risk there if you don’t understand.
Allison Jones
It could even be a friendly person that you do know, but that person does not have access to that part of the building and shouldn’t be in there. There are lots of different levels that you need to understand. Building on that, what are some of the benefits of having a security risk assessment?
Scott Owens
Well, I think most importantly, what I was mentioning in the last question, is that you essentially can’t manage the risk to the organization, your systems, and your data unless you take the time to understand and assess it. Once you understand your risk, you can develop long-range strategies to improve your maturity and reduce and manage risk. The SRA basically gives you a baseline measurement. You may find that there’s some low-hanging fruit. We can implement a policy in two hours, and we can solve a problem. Sometimes it’s more complicated. Sometimes you’ve got to invest some significant dollars to get there. But the scary part is that if you don’t know that you have vulnerabilities, for instance, a laptop that’s not checking in to get its antivirus updates, there’s a vulnerability there that you need to make sure that you manage well.
Other things that are benefits or reasons to do this are that the SRA is usually a requirement to obtain favorable rates or any rate for cybersecurity insurance. Most organizations have cybersecurity insurance. The amount you cover depends on the size of the organization, the complexity, the data, and a number of other things, but what I do know from helping organizations negotiate some of these contracts is that your level of security maturity matters when it comes to the dollars that you spend, not just in premiums but also in your deductible. That’s an important piece.
There’s obviously a compliance component in health care. This is a requirement of HIPAA, straight up. Whether you’re a covered entity or whether you’re a business associate, you are required to complete one of these on an annual basis. Now, HIPAA does not lay out exactly what the format, the structure, or the requirements are, so you have a little bit of flexibility to go ahead and structure however you see fit, as long as it complies with good practice. If you ask two questions and you have two sentences, and you turn that in to the OCR and say, “Here’s my risk assessment,” they’re going to laugh you out of town after they fine you, perhaps.
You have to do a reasonable job on that. Those would probably be the major things that I would look at. I always encourage organizations to do the right thing. Don’t be driven purely by compliance. Compliance is important, but you can be fully compliant with HIPAA and still have a frightening security incident because there is a hole in your security.
HIPAA was architected and signed into legislation almost 30 years ago. When that was put into place, a lot of the things that we take for granted today, no one had even thought about. Wi-fi didn’t exist. Smartphones didn’t exist. Bluetooth didn’t exist; all of the ransomware—the list goes on. It’s important to recognize that the world changes. In order to stay ahead of the game with your risk assessment, you really have to understand what’s current in today’s risk and threat models.
Allison Jones
Absolutely. What you described in terms of what a security risk assessment is is very deep. It’s very complex. How much work or how much time does it take for an organization to go through a security risk assessment process?
Scott Owens
It depends on the approach that you take. If you’re going to undertake this by yourself on an internal basis, you probably could expect to spend upwards of 60 to 80 person hours combined doing a really comprehensive review, talking to all the people that are involved, and reviewing documentation. I guess perhaps less if you didn’t put together a final report like a consultant typically does, but it’s a fairly significant exercise. If you hire someone to assist, what you end up with is the time to gather documents on the front end through interviews, which could be anywhere from 6 to 12 hours’ worth of time, depending on the security framework, and then some follow-up later.
One of the benefits you get from hiring a consultant is probably less internal time in addition to the expertise. HIPAA does not require that you have to hire outside, but you may find great value in doing so. I guess the most important takeaway here is that this is not just a team meeting on a Friday afternoon to walk through a checklist. The risk register exercise that I mentioned earlier might be a half day with your team in and of itself if you’re going to go deep enough to give you the kind of data that I think you’ll need to make some smart decisions at the end.
Allison Jones
It’s not going to be a check-box exercise. You’re just going to do yourself a disservice by approaching it that way.
Scott Owens
Absolutely.
Allison Jones
How often should you be doing security risk assessments?
Scott Owens
Well, the best practice, and I think everyone in the security world would share this viewpoint, is an annual risk assessment, something comprehensive like this. HIPAA and some of these other frameworks don’t come right out in the language and say, thou shalt do one every year, every 12 months. But really, if you think about all the changes to the organization that are made in the course of a year—new servers, new software—every time you make a change like that, it changes your risk quotient. It really is important to take a look at this annually.
There may even be some risks that need attention more frequently. When we talked earlier about ransomware, if you identify that ransomware is a critical risk to the organization, it’s probably a good idea that you’re spending. Maybe that’s a quarterly review to circle back and say, Are we still comfortable? Have we done anything? Have we done all we can? Whereas low-risk items like what’s the risk of the Internet taking us down if you’ve got redundant connections with different Internet carriers, you might say, well, based on the controls that I’ve put into place, the risk is very low. We don’t need to talk about this for another 12 months. Even in the next 12 months, we don’t really need to talk about it. If things have changed, we can keep the score where it is and move on.
I think it’s good practice for an organization to have a quarterly review, but not everything reviews at that level. The big one happens annually, and more important things are brought to the table more frequently.
Allison Jones
Scott, you’ve conducted hundreds of security risk assessments. What is the biggest mistake you see organizations make when going through the process?
Scott Owens
I think probably the biggest mistake is maybe not during the process, but right after the process and not taking information security seriously. I’ve worked with organizations that have reached out and said I’ve got an audit coming or a compliance deadline coming, or one of my clients just said I have to do this. We start having a conversation, and they have nothing. They have no policies, no procedures, and no controls. They don’t understand password management. I mean, the list goes on. In a case like that, you wonder sometimes how they haven’t already been victims of some serious incident. It’s going to take a long time to get to a point where you’re in a good position. As I mentioned earlier, organizations are regularly victims of cyber-attacks, some of them very serious, and to not take these things seriously is a big mistake.
I would also probably say that one of the single greatest vulnerabilities to an organization is people in general. Now people is not a specific risk, and you wouldn’t be scoring the word “people” in your exercise. But if you put phishing attacks, social engineering, which is any sort of trying to get someone to give information that they have that shouldn’t be given to the person on the phone or the other end of the email or text, and stolen or compromised credentials, if you put those attack vectors into one bucket, that accounts for about 40% of all security incidents from 2023, according to that IBM Ponemon survey that I mentioned. That’s a significant amount that you can attribute just to one classification.
The interesting thing is that those are all areas where awareness and training can have a very strong positive impact. If an organization hasn’t gone through a security risk assessment and they don’t know what their training needs are and they haven’t been able to connect the risks that they’ve talked about to the training, they may not take the time to educate users as they should, and they leave a big opportunity on the table.
This changes over time. If you had asked me the same question five years ago, I may not have said the greatest vulnerability is people. But the sophistication and complexity of some of the attacks that I see with people are remarkable, and the way they can trick people into giving up their credentials and their multi-factor authentication codes and take over accounts, and then move from a user account to an administrative level of privilege in the network, is amazing.
I’ve unfortunately been in positions where I can watch this in real time while working with some of my clients. The speed and the targeted nature of the way these guys cover their tracks are really remarkable. This is not some teenager in a garage hacking his way into your network. These are crime syndicates in countries that don’t like the United States coming after health care data. Training individuals and training your users is really important. Like I said, if an organization doesn’t understand what their needs are or some of these risks through the risk assessment, they’re missing out on an opportunity to really affect their maturity.
Allison Jones
It’s very scary, the sophistication of the phishing attacks that you see. We get it quite frequently. I mean, they’re really good. It’s so genuine when it comes in that sometimes you just have to take a step back and go; that looks real. It looks very real. So it’s easy to see how people are tricked into providing the information.
Scott Owens
The bad guys do a really good job of making their phishing attacks seem realistic. They use tactics such as urgency, making a message look like it came from someone important in the organization, and deflecting to say this is so-and-so, the CEO. I’m just about to get on a plane, so you can’t reach me. Don’t bother to text. But if you could wire $20,000 into this account, we have a new vendor, and everything would be wonderful. Now the CFO is left with, well, I don’t want to disappoint my boss, but at the same time, this is not a usual request. They’re very sophisticated.
Allison Jones
Yeah, it’s scary. Any final thoughts that you want to leave the audience with today?
Scott Owens
I would love to share with your listeners, Allison, that a mature information security program really starts with a security risk assessment. You’ve got to measure and put yourself in a position where you can pull pieces out. Sometimes it may take a while—maybe it’s a year—to fully implement all the improvements that are needed. But really, in health care, particularly, but in other industries too, protecting your data and your assets is one of the single most important things a company can do. It’s a cornerstone of continual improvement to have that security risk assessment, which gives you the baseline. That is all the data that you really need to get started on improving your program. I just can’t stress it enough. It is one of my passions, I would say, but I think with good reason. You can’t start to manage your program well unless you know where you’re beginning.
Allison Jones
Scott, if people want to learn more about BluTinuity, how can they get in touch with you?
Scott Owens
Absolutely. I would invite them to go to my website, blutinuity.com, and that’s spelled B-L-U-T-I-N-U-I-T-Y.com. There’s a contact page; you can fill that out, and it’ll send me an email and provide your contact information. My website also contains pages that describe not just the security risk assessment but some of the other services that BluTinuity can assist organizations with. That’d be a great way to reach out to us, and we would look forward to understanding your organization and helping in any way we can.
Allison Jones
We are out of time for today, but I want to thank you so much for joining us. This has been a wonderful discussion, with so much great information for our audience to take in. Security can be a scary topic, but there are things that we can do to make sure that we are making our organizations safer. You have given us a lot of great things to consider today. Thank you so much for joining us. We really appreciate it.
Thank you to our audience for tuning into the Therapy Matters podcast, your one-stop resource for expert insights and advice on everything therapy and rehab. We look forward to seeing you in the next episode.
Allison Jones
Thanks for listening to Therapy Matters. Do you like the podcast? Give us a five-star rating, subscribe, and tell all your friends about the show. Want to be a guest or know someone that would be a great guest speaker? Contact me at allison.jones@raintreeinc.com. That’s A-L-L-I-S-O-N.jones@raintreeinc.com.
Therapy Matters is brought to you by Raintree, therapy and rehab’s favorite EMR. Raintree is the only all-in-one therapy EMR, delivering a complete and seamless end-to-end patient journey from first contact to payment to patient retention. To learn more about Raintree, visit us online at raintreeinc.com.
About Us
Resources
Regulatory
Copyright 2024 © Raintree Systems. All rights reserved | Privacy Policy | Terms and Conditions
Wait! Want to boost your revenue and patient satisfaction?
Don’t leave without this free guide for PT, OT, SLP and multi-disciplinary therapy.
