Matthew J McMahon, profile picture
Uploaded byMatthew J McMahon
DOCX, PDF353 views

McMahon & Associates Risk Management Strategy

This document outlines McMahon & Associates Clinical Services' risk management strategy. It discusses selecting Athena Health as their cloud-based software vendor to eliminate the need for an on-site IT department. It also covers obtaining cyber insurance to transfer some liability risks and implementing workforce training through Pluralsight to address the human factor in cybersecurity. The strategy aims to reduce third-party risks, develop cybersecurity skills, and follow frameworks like NIST to maintain regulatory compliance and security best practices.

Healthcareâ—¦

Embed presentation

Download to read offline
McMahon & Associates Clinical Services Risk Management Strategy Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University May 04, 2017
2 Contents Executive Summary……………………………………………………………………...…..........3 About McMahon & Associates Clinical Services…………...………..………………….….........3 CHAPTER ONE. Reducing Third Party Risk…………………………………………...…..........3 CHAPTER TWO. Cyber Insurance…………...……...……………………………………...........4 CHAPTER THREE. Workforce Development….……...…………………………………............5 CHAPTER FOUR. Risk Management Frameworks………………….…………..………............6 CHAPTER Five. Secure Data Usage...….……...…………..……………………….....................7 Conclusion……………………………..………………………………………………………….8 Revision History…………...………………………..…………………………………………….8
3 Executive Summary In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. Of all of the United States Critical Infrastructures the healthcare sector is the most targeted by persistent cyber-attacks.1 In a threat landscape where a medical record sells for ten times on the dark web what a credit card record does it is imperative that McMahon & Associates Clinical Services create and implement a comprehensive Risk Management Strategy.2 About McMahon & Associates Clinical Services McMahon & Associates Clinical Services is a small, twelve provider clinical counseling service which resides in a small office located at 123 Main Street in Sharon, Massachusetts. The organization rents office space in the same building as a law firm and a doctor’s office but is separated from these businesses by two sets of locked steel doors. The office receives patients on an appointment only basis and operates between the hours of 8:00 AM EST and 8:00 PM EST. The facility utilizes the Athena Health cloud based software platform for clinical documentation, scheduling, routine paperwork and billing purposes. It also utilizes Outlook for email. CHAPTER ONE Reducing Third Party Risk McMahon & Associates Clinical Services has opted to utilize Athena Health as their cloud based clinical documentation, scheduling and billing software solution. An extensive cloud usage strategy report has already been completed in McMahon & Associates Clinical Services Cloud Usage Strategy Report.3 This risk management strategy paper will only touch on applicable highlights from that report. The McMahon & Associates Clinical Services Cloud Usage Strategy Report, extensively details the criteria used for selecting Athena Health among the other vendors that were reviewed.4 Chilmark Researches’ EHR Vendors’ Capabilities for Interoperability, report was an essential tool in comparing and contrasting Athena Health with its ten closest competitors in terms of data privacy and security compliance, secure connection controls, pricing structure, customer reviews, satisfaction ratings and overall functionality.5 1 Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn From the OPM Breach. Institute for Critical Infrastructure Technology. (January, 2016) 2 See note 1 above. 3 McMahon,Matthew. McMahon & Associates Clinical Services Cloud Usage Strategy Report. April (2017) 4 See note 1 above. 5 Chilmark Research. EHR Vendors’ Capabilities for Interoperability. July (2015)
4 The driving force in the choice of Athena Health was its ability to essentially eliminate the need for a traditional IT department.6 This not only reduces overhead but also liability associated with maintaining and securing a traditional IT infrastructure.7 The solution utilizes the software as a solution (SaaS) cloud model which allows for varying levels of role based access.8 Providers access and enter patient health information (PHI) only after accessing the password protected, secure (https) Athena Health website over a secure internet connection.9 While Athena Health is typically thought of as a small electronic medical record (EMR) provider in light of it’s much larger competitors such as MEDITECH, EPIC and Cerner its market share entails servicing over 62,000 providers and is steadily growing. Athena Health’s interfacing capabilities are well demonstrated with over 30 strategic interfacing partners and a fulltime dedicated interface team to build new links from Athena to other third party software vendors.10 Before making the final decision to choose Athena Health as the SaaS cloud based EMR vendor for McMahon & Associates a risk assessment was completed per the specifications laid out by the National Institute of Standards and Technology (NIST.)11 This risk assessment included visiting the Athena Health facilities located at 311 Arsenal Street in Watertown, Massachusetts where decision makers were given a tour of the campus and provided detailed descriptions of secure offsite data storage facilities.12 After reviewing the vendors applicable security documentation for its SaaS cloud based EMR system which included the industry standard manufacturers disclosure statement for medical device security (MDS2) and product specific security whitepaper, which have been kept on file, it was determined that the software solution meets all relevant regulatory compliance measures defined in the Health Information Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.13 CHAPTER TWO Cyber Insurance Cyber liability is a major concern for healthcare providers. Most general healthcare provider insurance policies exclude liability coverage associated to cybersecurity.14 Cybersecurity insurance is filling this gap and will drastically change the hospital IT landscape, improving patient privacy protections and underwriting the risk associated with operating a 6 ClearDATA. Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud. 7 See note 5 above. 8 Cloud Computing Standards Council. Impact of Cloud Computing on Healthcare. November (2012) 9 Murphy,Sean. Healthcare Information Security and Privacy. Frankfurt: Wall Street Journal, March 5 (2015) 10 Athenahealth . What Cloud-based Services Can Do for Your Medical Practice Whitepaper. January (2012) 11 See note 3 above. 12 AthenaHealth Website https://www.athenahealth.com 13 See note 3 above. 14 Schinnerer, Victor O. Protecting Hospitals and Healthcare Operations from Cyber Liability. Healthcare Report . (2011)
5 healthcare organization.15 General security requirements as a precursor to insurability and the ability to conduct timely and efficient security audits will revolutionize the healthcare sector in the future, driving new legislation and best practice guidance.16 Some liability is transferred from McMahon & Associates to Athena Health by the use of a third party, cloud based SaaS EMR system, hosted by Athena Health as Athena then becomes a “business associate,” of McMahon & Associates and inherits certain responsibilities for data protection under HIPAA.17 Even with the utilization of a third party cloud based EMR the acquisition of cyber insurance is strongly recommended. It has the potential to cover the organization should PHI be compromised via Outlook or other business tools or if office property is stolen and breached. Cyber insurance may also cover a breach or data loss by a third party or business associate such as Athena Health. It should be noted though that irresponsible data protection behavior such as sending PHI data via unencrypted email or leaving an unencrypted laptop is a car which is then stolen may not be covered by cyber insurance as the incident does not meet the insurance provider’s minimum protections requirements. CHAPTER THREE Workforce Development In the cybersecurity realm the weakest link is often the human factor. In response to this, even a small twelve practitioner clinical office needs to incorporate a cybersecurity workforce development program. In the industry currently there is a massive shortage of skilled cybersecurity professionals.18 This shortage makes internal training programs all the more imperative. As McMahon & Associated is a small office the third party online cybersecurity vendor Pluralsight will be utilized for employee cybersecurity training with specific courses required at the beginning of their employment and refreshers every six month thereafter.19 The vendor offers comprehensive security trainings delivered in an interesting and interactive video format. The Pluralsight requirements for employees will be managed by President and defacto IT manager Matthew McMahon. Coming from the corporate cybersecurity realm, Matthew holds various certifications in the security realm and regularly stays abreast of new security developments and trends by attending regular security conferences as well as subscribing to popular security publications. Another important component of training is the consideration of third parties training processes, evident by the now infamous Target hack that was the result of an improperly trained 15 McArdle, Jennifer. Incident Response and Cyber Insurance.(Presentation, Salve Regina University, Newport, RI 2016) 16 Yaraghi, Niam. Hackers, Phishers and Disappearing Thumb Drives: Lessons Learned From Major Healthcare Breaches. Brookings. (May 2016.) 17 See note 9 above. 18 Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills. Intel Security. 19 Pluralsight. https://www.pluralsight.com/
6 third party vendor employee clicking on a link in an email that launched an attack.20 Having extensively accessed the security training methods of Athena Health employees via Athena’s product security whitepapers it appears that the company has done its due diligence in training its employee’s in cyber protections.21 CHAPTER FOUR Risk Management Frameworks McMahon & Associates Clinical Services understands that a large part of staying secure means keeping up to date with industry standards. The organization recognizes and adheres to the following security policies; Common Security Framework (CSF,) Health Information Trust Alliance (HITRUST) as well as the International Organization for Standardization (ISO.)22 Employee security trainings specifically target covering content recommended by these advisory bodies. The organization also aims to adhere to all relevant legislation, FDA guidance documents and mandates. Notably these documents include Executive Order 13636 which calls for the protection of our nation’s critical infrastructure, to include the healthcare sector.23 This Executive Order directly contributed to FDA Guidance documents that describe medical software and device best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff24 Also, pertinent is Executive Order 13691 which calls for the sharing of cyber defense information among government entities and for-profit companies.25 While McMahon & Associates has not directly engaged in the sharing of security related information in an industry forum it realizes the eventual need for this and will participate in future discussions with other small businesses and government entities. While there has been some debate on this McMahon & Associates concludes that medical software (Athena Health) should be classified as a “medical device,” and in so doing also adheres the following FDA Guidance documents that describe best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff26 as well as the Guidance for Industry Part 11, Electronic Records; Electronic Signatures, Scope and Application. The NIST document Framework for Improving Critical Infrastructure Cybersecurity is also relevant27 In addition to these general guidance documents McMahon & Associates has adopted the Advanced Cybersecurity Group List 20 Ormes, Eric and Herr, Trey. Understanding Information Assurance. (October, 2016) 21 See note 9 above. 22 See note 4 above. 23 Executive Order 13636—Improving Critical Infrastructure Cybersecurity 24 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 25 Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing 26 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 27 FDA. Framework for Improving Critical Infrastructure Cybersecurity
7 Checklist, as it model for measuring and quantifying risk assessment and used this form during the review process of Athena Health as it’s SaaS cloud based EMR solution.28 McMahon & Associates regularly conducts security threat and risk assessments (TRA’s) on the tools it utilizes such as Athena Health for clinical documentation as well as Outlook for secure email among others. When completing these assessments it uses the Common Vulnerability Scoring System v3.0.29 These TRA’s are completed by President and defacto IT manager Matthew McMahon, whom congruent with risk management framework guidance has been deemed the responsible person to manage cyber security for the system. In his absence, responsibility and decision making in the realm of cyber security are passed along to company Vice President Carl Jung who has been properly trained as the Presidents backup and currently holds the following certifications: CompTIA Security +, Network + and has attended the SANS SEC401 Security Bootcamp course. CHAPTER Five Secure Data Usage Secure data usage is a top priority for McMahon & Associates. A study recently completed by the Ponemon Institute showed that of employees sampled over one third admitted that they were aware of coworkers that were not adhering to proper data usage company policies and sharing restricted data outside of their companies firewall.30 To assure data protection the organization has crafted its data usage policy to closely follow the CIA triad of Confidentiality, Integrity and Availability of data. Security relating to confidentiality is partially handled by our business partner Athena Health that manages the EMR. Because of this relationship Athena Health is responsible for securing all hardware and database configurations. McMahon & Associates responsibilities rely on assuring secure access and proper access control utilizing the least privileges model. Users accessing Athena Health’s online portal should create robust passwords that are regularly updated.31 Employees no longer in the employ of McMahon & Associates should have access immediately revoked. PHI should also only be emailed when absolutely necessary and when necessary utilize encryption and two factor authentication which requires both a password and public key identification (PKI) card to access. All paper PHI should be shredded. All company phones and laptops used to access patient data shall utilize encryption. McMahon and Associates has a firm no bring your own device (BYOD) policy for accessing patient data. The integrity component of McMahon & Associates data usage policy is again largely handled by our business associate Athena Health who utilizes checksum technology to assure data entered by a software user is uploaded correctly. The utilization on an EMR is in itself a 28 Spidalieri, Francesca and Hancock, Geoff. Advanced Cybersecurity Group List Checklist. (May 27, 2015.) 29 Common Vulnerability Scoring System v3.0 Specification Document. www.First.org 30 Breaking Bad: The Risk of Unsecure File Sharing. Ponemon Institute. (October 2014) 31 McArdle, Jennifer. Cybersecurity Fundamentals and Digital Health Information. (Presentation, Salve Regina University, Newport, RI 2016)
8 method to protect the integrity of data. All data is entered into the Athena Health system and displayed clearly. Audit logging shows who entered data and when. Most data is not able to be edited but if editing is allowed for certain features such as clinical notes that information is logged and auditable.32 The availability component of the triad was one of the main driving factors in deciding to utilize Athena Health as an EMR. McMahon & Associates data is backed up to several different databases on various secure servers scattered around the globe so the risk of the software being unavailable is unlikely. In the event of the software system being down staff are to return to a paper documentation system until the system is back online. As the office is a clinical counseling practice and does not practice emergency medicine, nor does it administer medication the risk associated with documenting on paper is minimal.33 Conclusion It is the goal of McMahon & Associates Counseling Services to not only provide the highest quality of clinical care to our customers but to also prioritize the security of our customers protected health information. It is our belief that this risk management strategy report is a step towards that goal but understands that to achieve a robust security posture an organization and its policies must be fluid and keep up with the threat landscape. This document is meant to be general guidance and not an all-encompassing. Review Process This document shall be reviewed and updated once a year during the month of May. A record of reviews, edits and updates shall be recorded below for posterity. Revision Date Author(s) (Changed By) Change(s) 00 2017-05-04 Matthew J McMahon Initial version 01 02 03 32 See Note 5 Above. 33 Ibid.

More Related Content

DOCX
The Security and Compliance Plan for Maxistar Medical Supplies Company
byAbdulrahman Alamri
 
PDF
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
byJames Konderla
 
PDF
Operational CyberSecurity Final Case Report
byJames Konderla
 
PDF
4. data security eb__1_
byAppsian
 
PDF
State of Security McAfee Study
byHiten Sethi
 
PDF
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
byIJCSEA Journal
 
PDF
A New Approach to Healthcare Security
byAngel Villar Garea
 
PDF
vmware-best-practices-healthcare-it-security-whitepaper
byTony Amaddio
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
byAbdulrahman Alamri
 
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
byJames Konderla
 
Operational CyberSecurity Final Case Report
byJames Konderla
 
4. data security eb__1_
byAppsian
 
State of Security McAfee Study
byHiten Sethi
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
byIJCSEA Journal
 
A New Approach to Healthcare Security
byAngel Villar Garea
 
vmware-best-practices-healthcare-it-security-whitepaper
byTony Amaddio
 

What's hot

DOCX
Scenario you have recently been hired as a chief information gov
byAKHIL969626
 
PDF
Identity and Access Intelligence
byTim Bell
 
PDF
HIPAA Security Risk Assessment
byMarci Fugarino SPHR, SHRM-SCP
 
PDF
Continuous Monitoring: Introduction & Considerations – Part 1 of 3
byEMC
 
PDF
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
byRedspin, Inc.
 
PDF
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
byIJNSA Journal
 
PDF
564 complete class
byhwcampusinfo
 
PDF
9545-RR-Why-Use-MSSP
byAlex Himmelberg
 
PDF
Ch3 cism 2014
byAladdin Dandis
 
PDF
Are NIST standards clouding the implementation of HIPAA security risk assessm...
byDavid Sweigert
 
DOC
Risk assessment report
byEugene Mukuka, BSc. MBA, MSc
 
PDF
N018138696
byIOSR Journals
 
PDF
Prevention is futile in 2020 - Gartner Report in Retrospect
byJermund Ottermo
 
PDF
Meaningful use, risk analysis and protecting electronic health information
byRedspin, Inc.
 
PDF
Safeguarding the Enterprise
byADGP, Public Grivences, Bangalore
 
PDF
Ch2 cism 2014
byAladdin Dandis
 
DOCX
Ass3201 cyber securityassignment
byharinathinfotech
 
Scenario you have recently been hired as a chief information gov
byAKHIL969626
 
Identity and Access Intelligence
byTim Bell
 
HIPAA Security Risk Assessment
byMarci Fugarino SPHR, SHRM-SCP
 
Continuous Monitoring: Introduction & Considerations – Part 1 of 3
byEMC
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
byRedspin, Inc.
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
byIJNSA Journal
 
564 complete class
byhwcampusinfo
 
9545-RR-Why-Use-MSSP
byAlex Himmelberg
 
Ch3 cism 2014
byAladdin Dandis
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
byDavid Sweigert
 
Risk assessment report
byEugene Mukuka, BSc. MBA, MSc
 
N018138696
byIOSR Journals
 
Prevention is futile in 2020 - Gartner Report in Retrospect
byJermund Ottermo
 
Meaningful use, risk analysis and protecting electronic health information
byRedspin, Inc.
 
Safeguarding the Enterprise
byADGP, Public Grivences, Bangalore
 
Ch2 cism 2014
byAladdin Dandis
 
Ass3201 cyber securityassignment
byharinathinfotech
 

Similar to McMahon & Associates Risk Management Strategy

DOCX
McMahon and Associates Cloud Usage Policy Paper
byMatthew J McMahon
 
PDF
IT-as-a-Service Solutions for Healthcare Providers
byEMC
 
PDF
IT-as-a-Service Solutions for Healthcare Providers
byEMC
 
PDF
Healthcare Cybersecurity Whitepaper FINAL
bySteve Knapp
 
PDF
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
byMOHAMMED YASER HUSSAIN
 
PDF
Health Industry Cybersecurity Best Practices
byDan Wellisch
 
PDF
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
byErik Ginalick
 
PDF
Microsoft cloud services_risk_management_in_european_health
byMikael Dalsgaard Jensen
 
PDF
An Overview of HIPAA Laws and Regulations.pdf
bySeasiaInfotech2
 
PDF
Executive Brief- 4 Critical Risks for Healthcare IT
bySungard Availability Services
 
PPTX
Sean Cassidy: The Naked Health Information Exchange
byNashville Technology Council
 
PDF
arcsight_scmag_hcspecial
byPaul Brian Contino
 
PDF
HITRUST CSF Meaningful use risk assessment
byVinit Thakur
 
PPTX
Building Future-Ready Healthcare IT Platforms: Get To The Cloud
byDell World
 
PDF
Hospital Corporation of America Healthcare Cybersecurity Assessment
bymbowl010
 
PDF
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
byTrend Micro
 
PDF
Essential_Skills_for_Business_Analysts_i.pdf
byBharathReddy350769
 
PPTX
Healthcare and Cyber security
byBrian Matteson, CISSP CISA
 
PDF
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
byRonan Martin
 
DOCX
Industry and Firm Analysis
byAshley Leonzio
 
McMahon and Associates Cloud Usage Policy Paper
byMatthew J McMahon
 
IT-as-a-Service Solutions for Healthcare Providers
byEMC
 
IT-as-a-Service Solutions for Healthcare Providers
byEMC
 
Healthcare Cybersecurity Whitepaper FINAL
bySteve Knapp
 
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
byMOHAMMED YASER HUSSAIN
 
Health Industry Cybersecurity Best Practices
byDan Wellisch
 
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
byErik Ginalick
 
Microsoft cloud services_risk_management_in_european_health
byMikael Dalsgaard Jensen
 
An Overview of HIPAA Laws and Regulations.pdf
bySeasiaInfotech2
 
Executive Brief- 4 Critical Risks for Healthcare IT
bySungard Availability Services
 
Sean Cassidy: The Naked Health Information Exchange
byNashville Technology Council
 
arcsight_scmag_hcspecial
byPaul Brian Contino
 
HITRUST CSF Meaningful use risk assessment
byVinit Thakur
 
Building Future-Ready Healthcare IT Platforms: Get To The Cloud
byDell World
 
Hospital Corporation of America Healthcare Cybersecurity Assessment
bymbowl010
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
byTrend Micro
 
Essential_Skills_for_Business_Analysts_i.pdf
byBharathReddy350769
 
Healthcare and Cyber security
byBrian Matteson, CISSP CISA
 
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
byRonan Martin
 
Industry and Firm Analysis
byAshley Leonzio
 

More from Matthew J McMahon

DOCX
Past and Future Speaking Engagements
byMatthew J McMahon
 
PPT
DC617 Medical Device Presentation
byMatthew J McMahon
 
PDF
HCA 530, Week 2, Symantec 2016 threat report
byMatthew J McMahon
 
PDF
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
byMatthew J McMahon
 
PPTX
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
byMatthew J McMahon
 
PDF
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
PDF
HCA 530, Week 2, Advanced persistent threat healthcare under attack
byMatthew J McMahon
 
DOCX
Sample Incident Response Plan
byMatthew J McMahon
 
DOCX
Case brief US v batti
byMatthew J McMahon
 
DOCX
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
byMatthew J McMahon
 
DOC
Can international organizations like the IMF control the externality costs of...
byMatthew J McMahon
 
Past and Future Speaking Engagements
byMatthew J McMahon
 
DC617 Medical Device Presentation
byMatthew J McMahon
 
HCA 530, Week 2, Symantec 2016 threat report
byMatthew J McMahon
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
byMatthew J McMahon
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
byMatthew J McMahon
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
HCA 530, Week 2, Advanced persistent threat healthcare under attack
byMatthew J McMahon
 
Sample Incident Response Plan
byMatthew J McMahon
 
Case brief US v batti
byMatthew J McMahon
 
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
byMatthew J McMahon
 
Can international organizations like the IMF control the externality costs of...
byMatthew J McMahon
 

Recently uploaded

PPTX
Arrthymias in cardiology for Physician assistant
byMass Mahesh medico
 
PPTX
Seniors Chair Yoga Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
PPT
Mind Sound Resonance Technique (MSRT) Ma.ppt
byKaruna Yoga Vidya Peetham
 
PPTX
Pulmonary TB by Rakhi Rana.pptx for medical and nursing students
bypavitra8057
 
PDF
“Process and Importance of Hospital Planning”
bySutirthaMandal
 
PPTX
Chronic Reproductive Health Condition (2).pptx
byBaljinder Singh
 
PPTX
Online Meditation Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
PPTX
PPT presentation on Gairikadya malaahara
byShreeyashSalunke1
 
PPTX
CHILD.HEALTH.PROGRAMMES.IN.INDIA..2.pptx
bydrkasana123
 
PPTX
DIABETIC RETINOPATHY DIABETIC RETINOPATHY
byMeghna Verma
 
PPTX
50 Hrs - Yoga & Dialectical Behaviour Therapy (YDBT) Teacher Training Certifi...
byKaruna Yoga Vidya Peetham
 
PDF
Pediatric ALD (pALD) HCW sensitization slides (1).pdf
byRuth640163
 
PDF
Understanding Hair Loss: Causes, Solutions, and Healthy Hair Strategies
byaddictivemedia143
 
PPTX
NVHCP National Viral Hepatitis Control Programme.pptx
bySumitSharma926845
 
PPTX
Anemia in Children: Clinical Approach and Management
byspotifybob2024
 
PPTX
DIPLOPIA in Oral and Maxillofacial trauma.pptx
byDrMeghnaChandrachood
 
PPTX
Non-Fluoridated Remineralizing Agents1.pptx
bysukanyagattu5
 
PPTX
Think and Grow Rich 2.0 How to future proof your career in the 4th industrial...
byArlen Meyers, MD, MBA
 
PPTX
Cardiovascular health.pptx for cardiovascular health
byscionhealthcare
 
PDF
Interoperability in Healthcare systems IH
byAeris seo
 
Arrthymias in cardiology for Physician assistant
byMass Mahesh medico
 
Seniors Chair Yoga Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
Mind Sound Resonance Technique (MSRT) Ma.ppt
byKaruna Yoga Vidya Peetham
 
Pulmonary TB by Rakhi Rana.pptx for medical and nursing students
bypavitra8057
 
“Process and Importance of Hospital Planning”
bySutirthaMandal
 
Chronic Reproductive Health Condition (2).pptx
byBaljinder Singh
 
Online Meditation Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
PPT presentation on Gairikadya malaahara
byShreeyashSalunke1
 
CHILD.HEALTH.PROGRAMMES.IN.INDIA..2.pptx
bydrkasana123
 
DIABETIC RETINOPATHY DIABETIC RETINOPATHY
byMeghna Verma
 
50 Hrs - Yoga & Dialectical Behaviour Therapy (YDBT) Teacher Training Certifi...
byKaruna Yoga Vidya Peetham
 
Pediatric ALD (pALD) HCW sensitization slides (1).pdf
byRuth640163
 
Understanding Hair Loss: Causes, Solutions, and Healthy Hair Strategies
byaddictivemedia143
 
NVHCP National Viral Hepatitis Control Programme.pptx
bySumitSharma926845
 
Anemia in Children: Clinical Approach and Management
byspotifybob2024
 
DIPLOPIA in Oral and Maxillofacial trauma.pptx
byDrMeghnaChandrachood
 
Non-Fluoridated Remineralizing Agents1.pptx
bysukanyagattu5
 
Think and Grow Rich 2.0 How to future proof your career in the 4th industrial...
byArlen Meyers, MD, MBA
 
Cardiovascular health.pptx for cardiovascular health
byscionhealthcare
 
Interoperability in Healthcare systems IH
byAeris seo
 

McMahon & Associates Risk Management Strategy

  • 1.
    McMahon & AssociatesClinical Services Risk Management Strategy Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University May 04, 2017
  • 2.
    2 Contents Executive Summary……………………………………………………………………...…..........3 About McMahon& Associates Clinical Services…………...………..………………….….........3 CHAPTER ONE. Reducing Third Party Risk…………………………………………...…..........3 CHAPTER TWO. Cyber Insurance…………...……...……………………………………...........4 CHAPTER THREE. Workforce Development….……...…………………………………............5 CHAPTER FOUR. Risk Management Frameworks………………….…………..………............6 CHAPTER Five. Secure Data Usage...….……...…………..……………………….....................7 Conclusion……………………………..………………………………………………………….8 Revision History…………...………………………..…………………………………………….8
  • 3.
    3 Executive Summary In today’sday and age, cyber-attacks on hospitals are becoming more and more prevalent. Of all of the United States Critical Infrastructures the healthcare sector is the most targeted by persistent cyber-attacks.1 In a threat landscape where a medical record sells for ten times on the dark web what a credit card record does it is imperative that McMahon & Associates Clinical Services create and implement a comprehensive Risk Management Strategy.2 About McMahon & Associates Clinical Services McMahon & Associates Clinical Services is a small, twelve provider clinical counseling service which resides in a small office located at 123 Main Street in Sharon, Massachusetts. The organization rents office space in the same building as a law firm and a doctor’s office but is separated from these businesses by two sets of locked steel doors. The office receives patients on an appointment only basis and operates between the hours of 8:00 AM EST and 8:00 PM EST. The facility utilizes the Athena Health cloud based software platform for clinical documentation, scheduling, routine paperwork and billing purposes. It also utilizes Outlook for email. CHAPTER ONE Reducing Third Party Risk McMahon & Associates Clinical Services has opted to utilize Athena Health as their cloud based clinical documentation, scheduling and billing software solution. An extensive cloud usage strategy report has already been completed in McMahon & Associates Clinical Services Cloud Usage Strategy Report.3 This risk management strategy paper will only touch on applicable highlights from that report. The McMahon & Associates Clinical Services Cloud Usage Strategy Report, extensively details the criteria used for selecting Athena Health among the other vendors that were reviewed.4 Chilmark Researches’ EHR Vendors’ Capabilities for Interoperability, report was an essential tool in comparing and contrasting Athena Health with its ten closest competitors in terms of data privacy and security compliance, secure connection controls, pricing structure, customer reviews, satisfaction ratings and overall functionality.5 1 Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn From the OPM Breach. Institute for Critical Infrastructure Technology. (January, 2016) 2 See note 1 above. 3 McMahon,Matthew. McMahon & Associates Clinical Services Cloud Usage Strategy Report. April (2017) 4 See note 1 above. 5 Chilmark Research. EHR Vendors’ Capabilities for Interoperability. July (2015)
  • 4.
    4 The driving forcein the choice of Athena Health was its ability to essentially eliminate the need for a traditional IT department.6 This not only reduces overhead but also liability associated with maintaining and securing a traditional IT infrastructure.7 The solution utilizes the software as a solution (SaaS) cloud model which allows for varying levels of role based access.8 Providers access and enter patient health information (PHI) only after accessing the password protected, secure (https) Athena Health website over a secure internet connection.9 While Athena Health is typically thought of as a small electronic medical record (EMR) provider in light of it’s much larger competitors such as MEDITECH, EPIC and Cerner its market share entails servicing over 62,000 providers and is steadily growing. Athena Health’s interfacing capabilities are well demonstrated with over 30 strategic interfacing partners and a fulltime dedicated interface team to build new links from Athena to other third party software vendors.10 Before making the final decision to choose Athena Health as the SaaS cloud based EMR vendor for McMahon & Associates a risk assessment was completed per the specifications laid out by the National Institute of Standards and Technology (NIST.)11 This risk assessment included visiting the Athena Health facilities located at 311 Arsenal Street in Watertown, Massachusetts where decision makers were given a tour of the campus and provided detailed descriptions of secure offsite data storage facilities.12 After reviewing the vendors applicable security documentation for its SaaS cloud based EMR system which included the industry standard manufacturers disclosure statement for medical device security (MDS2) and product specific security whitepaper, which have been kept on file, it was determined that the software solution meets all relevant regulatory compliance measures defined in the Health Information Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.13 CHAPTER TWO Cyber Insurance Cyber liability is a major concern for healthcare providers. Most general healthcare provider insurance policies exclude liability coverage associated to cybersecurity.14 Cybersecurity insurance is filling this gap and will drastically change the hospital IT landscape, improving patient privacy protections and underwriting the risk associated with operating a 6 ClearDATA. Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud. 7 See note 5 above. 8 Cloud Computing Standards Council. Impact of Cloud Computing on Healthcare. November (2012) 9 Murphy,Sean. Healthcare Information Security and Privacy. Frankfurt: Wall Street Journal, March 5 (2015) 10 Athenahealth . What Cloud-based Services Can Do for Your Medical Practice Whitepaper. January (2012) 11 See note 3 above. 12 AthenaHealth Website https://www.athenahealth.com 13 See note 3 above. 14 Schinnerer, Victor O. Protecting Hospitals and Healthcare Operations from Cyber Liability. Healthcare Report . (2011)
  • 5.
    5 healthcare organization.15 Generalsecurity requirements as a precursor to insurability and the ability to conduct timely and efficient security audits will revolutionize the healthcare sector in the future, driving new legislation and best practice guidance.16 Some liability is transferred from McMahon & Associates to Athena Health by the use of a third party, cloud based SaaS EMR system, hosted by Athena Health as Athena then becomes a “business associate,” of McMahon & Associates and inherits certain responsibilities for data protection under HIPAA.17 Even with the utilization of a third party cloud based EMR the acquisition of cyber insurance is strongly recommended. It has the potential to cover the organization should PHI be compromised via Outlook or other business tools or if office property is stolen and breached. Cyber insurance may also cover a breach or data loss by a third party or business associate such as Athena Health. It should be noted though that irresponsible data protection behavior such as sending PHI data via unencrypted email or leaving an unencrypted laptop is a car which is then stolen may not be covered by cyber insurance as the incident does not meet the insurance provider’s minimum protections requirements. CHAPTER THREE Workforce Development In the cybersecurity realm the weakest link is often the human factor. In response to this, even a small twelve practitioner clinical office needs to incorporate a cybersecurity workforce development program. In the industry currently there is a massive shortage of skilled cybersecurity professionals.18 This shortage makes internal training programs all the more imperative. As McMahon & Associated is a small office the third party online cybersecurity vendor Pluralsight will be utilized for employee cybersecurity training with specific courses required at the beginning of their employment and refreshers every six month thereafter.19 The vendor offers comprehensive security trainings delivered in an interesting and interactive video format. The Pluralsight requirements for employees will be managed by President and defacto IT manager Matthew McMahon. Coming from the corporate cybersecurity realm, Matthew holds various certifications in the security realm and regularly stays abreast of new security developments and trends by attending regular security conferences as well as subscribing to popular security publications. Another important component of training is the consideration of third parties training processes, evident by the now infamous Target hack that was the result of an improperly trained 15 McArdle, Jennifer. Incident Response and Cyber Insurance.(Presentation, Salve Regina University, Newport, RI 2016) 16 Yaraghi, Niam. Hackers, Phishers and Disappearing Thumb Drives: Lessons Learned From Major Healthcare Breaches. Brookings. (May 2016.) 17 See note 9 above. 18 Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills. Intel Security. 19 Pluralsight. https://www.pluralsight.com/
  • 6.
    6 third party vendoremployee clicking on a link in an email that launched an attack.20 Having extensively accessed the security training methods of Athena Health employees via Athena’s product security whitepapers it appears that the company has done its due diligence in training its employee’s in cyber protections.21 CHAPTER FOUR Risk Management Frameworks McMahon & Associates Clinical Services understands that a large part of staying secure means keeping up to date with industry standards. The organization recognizes and adheres to the following security policies; Common Security Framework (CSF,) Health Information Trust Alliance (HITRUST) as well as the International Organization for Standardization (ISO.)22 Employee security trainings specifically target covering content recommended by these advisory bodies. The organization also aims to adhere to all relevant legislation, FDA guidance documents and mandates. Notably these documents include Executive Order 13636 which calls for the protection of our nation’s critical infrastructure, to include the healthcare sector.23 This Executive Order directly contributed to FDA Guidance documents that describe medical software and device best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff24 Also, pertinent is Executive Order 13691 which calls for the sharing of cyber defense information among government entities and for-profit companies.25 While McMahon & Associates has not directly engaged in the sharing of security related information in an industry forum it realizes the eventual need for this and will participate in future discussions with other small businesses and government entities. While there has been some debate on this McMahon & Associates concludes that medical software (Athena Health) should be classified as a “medical device,” and in so doing also adheres the following FDA Guidance documents that describe best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff26 as well as the Guidance for Industry Part 11, Electronic Records; Electronic Signatures, Scope and Application. The NIST document Framework for Improving Critical Infrastructure Cybersecurity is also relevant27 In addition to these general guidance documents McMahon & Associates has adopted the Advanced Cybersecurity Group List 20 Ormes, Eric and Herr, Trey. Understanding Information Assurance. (October, 2016) 21 See note 9 above. 22 See note 4 above. 23 Executive Order 13636—Improving Critical Infrastructure Cybersecurity 24 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 25 Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing 26 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 27 FDA. Framework for Improving Critical Infrastructure Cybersecurity
  • 7.
    7 Checklist, as itmodel for measuring and quantifying risk assessment and used this form during the review process of Athena Health as it’s SaaS cloud based EMR solution.28 McMahon & Associates regularly conducts security threat and risk assessments (TRA’s) on the tools it utilizes such as Athena Health for clinical documentation as well as Outlook for secure email among others. When completing these assessments it uses the Common Vulnerability Scoring System v3.0.29 These TRA’s are completed by President and defacto IT manager Matthew McMahon, whom congruent with risk management framework guidance has been deemed the responsible person to manage cyber security for the system. In his absence, responsibility and decision making in the realm of cyber security are passed along to company Vice President Carl Jung who has been properly trained as the Presidents backup and currently holds the following certifications: CompTIA Security +, Network + and has attended the SANS SEC401 Security Bootcamp course. CHAPTER Five Secure Data Usage Secure data usage is a top priority for McMahon & Associates. A study recently completed by the Ponemon Institute showed that of employees sampled over one third admitted that they were aware of coworkers that were not adhering to proper data usage company policies and sharing restricted data outside of their companies firewall.30 To assure data protection the organization has crafted its data usage policy to closely follow the CIA triad of Confidentiality, Integrity and Availability of data. Security relating to confidentiality is partially handled by our business partner Athena Health that manages the EMR. Because of this relationship Athena Health is responsible for securing all hardware and database configurations. McMahon & Associates responsibilities rely on assuring secure access and proper access control utilizing the least privileges model. Users accessing Athena Health’s online portal should create robust passwords that are regularly updated.31 Employees no longer in the employ of McMahon & Associates should have access immediately revoked. PHI should also only be emailed when absolutely necessary and when necessary utilize encryption and two factor authentication which requires both a password and public key identification (PKI) card to access. All paper PHI should be shredded. All company phones and laptops used to access patient data shall utilize encryption. McMahon and Associates has a firm no bring your own device (BYOD) policy for accessing patient data. The integrity component of McMahon & Associates data usage policy is again largely handled by our business associate Athena Health who utilizes checksum technology to assure data entered by a software user is uploaded correctly. The utilization on an EMR is in itself a 28 Spidalieri, Francesca and Hancock, Geoff. Advanced Cybersecurity Group List Checklist. (May 27, 2015.) 29 Common Vulnerability Scoring System v3.0 Specification Document. www.First.org 30 Breaking Bad: The Risk of Unsecure File Sharing. Ponemon Institute. (October 2014) 31 McArdle, Jennifer. Cybersecurity Fundamentals and Digital Health Information. (Presentation, Salve Regina University, Newport, RI 2016)
  • 8.
    8 method to protectthe integrity of data. All data is entered into the Athena Health system and displayed clearly. Audit logging shows who entered data and when. Most data is not able to be edited but if editing is allowed for certain features such as clinical notes that information is logged and auditable.32 The availability component of the triad was one of the main driving factors in deciding to utilize Athena Health as an EMR. McMahon & Associates data is backed up to several different databases on various secure servers scattered around the globe so the risk of the software being unavailable is unlikely. In the event of the software system being down staff are to return to a paper documentation system until the system is back online. As the office is a clinical counseling practice and does not practice emergency medicine, nor does it administer medication the risk associated with documenting on paper is minimal.33 Conclusion It is the goal of McMahon & Associates Counseling Services to not only provide the highest quality of clinical care to our customers but to also prioritize the security of our customers protected health information. It is our belief that this risk management strategy report is a step towards that goal but understands that to achieve a robust security posture an organization and its policies must be fluid and keep up with the threat landscape. This document is meant to be general guidance and not an all-encompassing. Review Process This document shall be reviewed and updated once a year during the month of May. A record of reviews, edits and updates shall be recorded below for posterity. Revision Date Author(s) (Changed By) Change(s) 00 2017-05-04 Matthew J McMahon Initial version 01 02 03 32 See Note 5 Above. 33 Ibid.