Security Risk Analysis: The Challenges Community (and Small) Hospitals Face in Protecting PHI – Part II

NOW Interview with Carl Kunkleman

Conducting a security risk analysis is a requirement of the HIPAA security rule. Expanded under the HITECH Act of 2009, and modified by the 2013 Omnibus Rule, a security risk analysis is also a core requirement for Meaningful Use under the EHR Incentive Program, as well as for MIPS. Surprisingly, the process of conducting a SRA is still a challenge for many providers and healthcare organizations, made more complicated by the rise of cyber security threats.

I had an opportunity to talk with Carl Kunkleman, the co-founder and senior vice president of ClearDATA, specifically about why small and community hospitals struggle with conducting a security risk analysis. Here is Part II of the interview. Read Part I here.

We’ve spent time talking about the challenges of conducting the SRA. But after it is completed, what’s next? This is not a one-and-done process.

Carl: You’re right. After that, it’s all about remediation. So, first, you want to do a risk analysis to get that baseline. In our process, we actually give all of our customers at the end a risk remediation roadmap that literally shows the high, medium and low risk associated with PHI. You know, the OCR knows that you can’t boil the ocean. The key is completing the SRA and to begin remediating any identified high risks. As a high-level example, if you did a risk analysis and you identified, pick a number, five high risks and you were in the process of working on number three and you’re breached at number five and had to report that breach to the OCR, that’s a much different conversation with the OCR than saying, “I never did a risk analysis. I had no idea this existed.” That’s a big, big difference. The key really is in that remediation road map.

Another big consideration is the old hardware and software. Our customers started saying to us, “Hey, listen. This is going to cost us a lot of money to buy new hardware and software.” And then we started saying to them, “Well, if you want to, you should consider at least moving PHI-based workloads into the Cloud.”  When you’re moving to the Cloud there are three big questions:

  1. What should move to the Cloud?
  2. What could move to the Cloud?
  3. And then, really, what workloads should not move to the Cloud?

Back-up and DR should both move to the Cloud. EMR could move to the Cloud if you want to. If you’ve got some study going on that uses a lot of computing, that’s not appropriate for the Cloud as it would frustrate your users. Those are the big ones I see.

So, you talked about these IT staffs in community and small hospitals being overworked, little bandwidth, limited budgets, etc. How do these smaller and community hospitals pay for an SRA?

Carl: For Stage I Meaningful Use the SRA was a core requirement. For Stage II it is also a core requirement. For Stage III last year the SRA became the number one core criteria. So, you’ve gotta do it to get your meaningful use dollars. If you’re attesting for meaningful use, of course, they can record the cost of the SRA to help them get to meaningful use, it can be written off or reimbursed through that meaningful use cost report, that’s the easiest way. Now, many of our hospitals and especially our FQHCs, if they’re not going for meaningful use they choose to use a different model. We actually have, I’m not sure about others, but we have a thing called “SRA as a Service.” It’s kind of the SRA plus. We help them monthly with their compliance meetings. We also do breach simulations and a few other things. The big advantage in terms of cost that way is it’s a monthly subscription service versus a capital expense. So, they can write it off as an operational expense versus a capital expense.

I think the real question is can they afford not to do an SRA? You know, it’s a federal requirement and with the ongoing threat of a PHI data breach, you want to make sure your attorney has evidence that you’re following the HIPAA rule and remediating the risk. For community-based hospitals, it’s really not that expensive. I have found in my experience for the past seven years now of doing this is typically these are the best people and they want to learn. And so, part of the SRA process, when we go through it the first time there’s a huge educational process where they go, “well why does it say that” “what does it mean to me?” and “can you show me how to do it over here?” And then, they get their money’s worth. They really do. And, I haven’t had one customer say that wasn’t worth it. Just the opposite, they say, “Gosh, that was really worth it.” I had one customer call me two days ago, after the SRA and she said, “You know what, I didn’t realize how sloppy we had gotten before I did the SRA.” It’s not that people get sloppy I think. And, I told her that. I said it’s really about you’ve got a full-time job and this is kind of a check-in once every year to make sure you didn’t miss anything.

So, what do you see as the next step in the evolution of HIPAA compliance? I mean the last major piece that was passed was the Omnibus in 2013. There hasn’t really been anything since then.

Carl: Well, in terms of risk analysis, first of all, it’s here to stay, it’s not going away. HIPAA is no longer a paper tiger. Just go to the Health and Human Services wall of shame and you can see what people are paying. So, beyond meaningful use, really there’s a couple of things. First, if you start reading about MIPS and MACRA, the risk analysis is part of the MACRA requirements. Again, the second piece is that after the risk analysis is completed you really need to prove that you are actively adjudicating risk. Now, we’ve actually created a whole SRA dashboard for our clients, it lets them see where they stand against each of the 50+ safeguards and we’ll update it for them as they go through. So, we give them a baseline from the SRA, 90 days later they call and they say, “Hey, we fixed this thing over here.” We’ll update their scorecard for them. The reason it works, I think, and what most administrators like is that we also have benchmarking and the bench is pretty strong. It’s a couple thousand providers now. So, we say, “Hey, here’s where you stand.” But what is the population of hospitals under 100 beds look like? How do I stand?

We actually took another step further in terms of evolution at ClearDATA: we now have a complete compliance dashboard. So, if you’re in our Cloud you have a compliance dashboard in your Cloud you look at every single day. We monitor it for you. We manage it for you. And, if an alert goes off we tell you. So, that’s really the next thing trying to get ahead of these. Especially for small and community-based hospitals where they really don’t have, you know, the time, the bandwidth, the expertise to go through and maintain all the updates. Our cloud is HIPAA-compliant and HITRUST-certified. That’s the highest standard in terms of a certified security framework for healthcare. That’s how we do it. And then, we stand it up for them for 24/7.

I was at a hospital in the mid-central where the IT manager was also a surgi-tech and he was working his tail off trying to do both things. But those are two full-time jobs. He really couldn’t do both. We found gaping holes and he had no idea. Of course, he was embarrassed. But, he had two full-time jobs he was trying to knock out. MACRA goes all the way to 2025. So, in terms of doing a risk analysis, you’re going to need to have one in place for at least the next seven or eight years, for sure.

Learn more about Carl Kunkleman and ClearDATA at: www.ClearDATA.com.