Category Archives: Risk Assessment & Compliance

An overview and information source for risk analysis and requirement compliance for IT and online security systems to ensure compliance with regulations such as: FFIEC, NERC, GLBA, BSA, NCUA, ISO 17799, ISO 27001 and many others.

Why Bother with a HIPAA Risk Analysis Anyway?

Posted on by 0 Comments

People tell me all the time that their management doesn’t want them to do a risk analysis, even if it’s a requirement.  Sometime they say that they have no budget
to fix anything – so why bother?

Even if it’s a requirement, like new workplace violence assessments, or a federal law like the required HIPAA risk analysis, there are people who want to do it in 30 minutes in a spreadsheet, without conferring with other staff members, without bothering to do a walk-through of the facility, without management’s enthusiastic support.

Here is a list of good reasons to do a Risk Analysis for HIPAA, even if you are not sure about whether you need it or not:

1.   It’s a Federal law.   It’s possible that no one will know if you don’t do it, but
      what if you have a MassGeneral-style data breach next week?

2.   It saves the organization BIG BUCKS, by doing the cost benefit analysis so
      the IT department can implement controls that actually increase protection
      AND reduce potential threats at the same time.

3.   A Risk Analysis acts like a security awareness training program if you
      involve the entire hospital or healthcare staff.  Many times they aren’t
      aware of the policies and procedures, and having them answer the
      HIPAA compliance surveys is a great no-cost refresher cost.

4.   You can uncover REAL vulnerabilities and fix them right away.  For example,
      you may not know who’s taking your database home on their unencrypted
      laptop.   You may not know that only 20% of the hospital staff took time to
      take the online training!  This lets your IDENTIFY problems and FIX them.

5.   It instantly makes the security analyst/information security officer the
      SMARTEST person in the room.  You know understand everything about
      protection of medical records in your organization!

6.   Regulators are getting CASH BONUSES for finding problems.  Don’t let
      them vacation in the south of France because they found a vulnerability
      in your IT systems!

Start your risk analysis today – and I will make sure YOU get all the credit!

Starting a Hospital Security Risk Assessment

Posted on by 0 Comments

How to make sure your Security Department is Working for the Hospital.

Security Risk Assessment are not just Required by the Joint Commission – they are required in many states as a preventive measure to help prevent and reduce workplace violence.

The Risk Assessment also helps managers and administrators assess their security program, directly measure it’s effectiveness and helps determine
cost effective methods that can give you a great deal of protection for the lowest possible cost — something we call “bang for the buck”. 

The recent increase in violence comes as a surprise to doctors, nurses, managers and administrators, too.  Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

 1.  Doctors are no longer thought of as “Gods”.  This means they are
      are more easily blamed when a patient’s condition deteriorates.

 2.  Hospitals are now regarded as businesses.  This perception has been
       been aggravated by television in shows like a recent “60 Minutes”, as well as
       by the effects of the recession on jobs and the loss of health insurance.

3.  Lack of respect and resources (funding) for hospital security departments
   .  Rather than being seen as a crucial protection for the hospital staff and
      patients, many security departments are chronically underfunded and used
      for a variety of non- security functions, such as making bank deposits for
      the hospital gift shop, driving the education van, etc.

The federal government  issued a guidance document for dealing with violence issues in healthcare,  called OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.  You can download a copy at www.osha.gov/Publications/osha3148.pdf

Remembering the Tragedy of 9/11

Posted on by 0 Comments

Today is the 10th Anniversary of 9/11.  Like most other Americans, like the Kennedy assassination so many years ago, the memories are indelibly burned into my soul.

On September 11, I was flying to a conference in Chicago, so I got up at 5 am to catch the 7:45 plane from BWI to Pittsburgh.  I was on the next plane to Chicago and it boarded at 9:35 and pushed out onto the runway.  I was waiting for it to take off when my cell phone rang and it was my son, Michael, who said, “They flew a plane into the Twins Towers in NYC”.   As a security professional, I knew what that meant.

After a confusing 15 minutes, the plane went back to the gate, and they told us the flight would be delayed for 6 hours, but as we walked off the plane, the man next to me got a call on his cell and said, “They hit the Pentagon”.

There was a hotel at the Pittsburgh Airport so I immediately ran over there and checked in because I knew there would be no planes leaving today, I noticed the huge crowd at the bar, watching the TV.   My brother worked in NYC, my sons and friends were in DC, so the phone lines weren’t working, but I signed on to AOL and was able to connect with them to say I was all right.  

They evacuated the airport, but I was up in my mini command center by then.  I must have gotten 400 emails that day and I was watching the coverage on TV and crying, and then I heard about United Flight 93.

It took me about 2 days to get home.  A friend DROVE from the conference in Chicago to Pittsburgh and picked me up at midnight on 9/11.  We drove together through the Appalachian mountains to her home south of Philadelphia.  She had small children and wanted to get home fast.

We arrived at about 9 am on 9/12, after driving all night.  I slept for 4 hours on her son’s bed, and then her husband took me to the Amtrak station at Wilmington and I took the train back to BWI. It felt like I was moving through a bad dream.

Next, I tried to get my car, which was in the parking structure by the terminal, but it was blocked and they said I wouldn’t be able to get my cars for several more days, so I took a cab back home.

I remember driving up my street and seeing the American flags on houses, and I remember thinking about why I didn’t know all these neighbors and how I would change that in the future.  I remember how blue the sky was, not a cloud, not a plane.  It was surrealistically quiet.

I know several people who were killed in the Pentagon, and many in NYC who were dramatically affected, including the children in the NY suburbs who got called out of class one by one, to hear that their father, or mother was gone.

My theory is that people who lived on the west coast didn’t feel the impact quite as much as we did – who had been to the Pentagon every week, and been in the Twin Towers.

A friend of mine in San Diego who was proud of not having a TV, and who got up early that morning to order a sheet set on QVC.  She was in the middle of her order when the operator started crying and could not continue – she kept telling Kathy, “please turn on the TV and call back tomorrow”.

Just for me, I think I am permanently damaged by what happened on 9/11, and I think the whole country shares a continuing sorrow and grief from this event. 

We won’t let it happen again.

Is $7000 Enough of a Fine for a Young Girl’s Murder?

Posted on by 0 Comments

OSHA workplace safety officials have fined the organization that runs a Revere group home, where a Peabody mental health worker was stabbed in January, for not having adequate safety measures in place despite high probability of an incident occurring.

The Revere mental health clinic where Peabody caseworker Stephanie Moulton was stabbed in January as fined $7000.00 by OSHA for not having adequate safeguards against violence in place for employees at the clinic. OSHA cited the facility for “a serious violation of [OSHA’s] ‘general duty clause’ for failing to provide a workplace free from recognized hazards likely to cause serious injury or death.” 

Moulton, 24, died from her stab wound inflicted by a patient, 27-year-old Deshawn Chappell, after he fled the group home, taking her with him and then dumping her body behind a church in Lynn. Chappell, who had a history of violent behavior, attacked Moulton during a counseling session.

The fine is a piddling amount, but the damage done by the fine is much worse. Because the organization was directly fines by OSHA, that gives the victim’s family solid grounds for a lawsuit for negligence, and they can quote OSHA, that they “failed to provide a workplace free from recognized hazards likely to cause injury or death”.

It will be interesting to see if a lawsuit develops, and if the organization puts stricter controls in place to protect staff members.

OSHA and the Joint Commission have reported for several years that violence against healthcare workers has steadily increased, and the Joint Commission even issued a Sentinel Event about the increase in violence.

Using Risk Assessments as a Business Process

Posted on by 0 Comments

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!

The 5 Missing Elements of Most Workplace Violence Prevention Programs

Posted on by 0 Comments

The 5 Missing Elements of Most Workplace Violence Prevention Programs

After working with a variety of organizations on a baseline Workplace Violence assessment, there are several areas that seem to be common problems for most organizations.  These elements are not expensive, and not timing-consuming, so they are natural candidates for improvement.

A baseline workplace violence assessment is a survey of employees in different roles, combined with a threat analysis and an analysis of existing controls and a historical incidents that can be reviewed and aggregated.

Here are the top 5 most common missing elements, with potential solutions.

1.  Missing workplace violence awareness/training programs.  Many organizations report that they have set these up, that they have sent out emails to all employees, but we consistently find that the employees didn’t read the emails, didn’t know the training was available, or that it wasn’t included in their initial company orientation.

2.  Mis-categorization of workplace violence incidents.   There is a mistaken (in my opinion) idea that domestic violence incidents that happen at work should not be categorized or reported as a Workplace Violence incident.  This is a mistake, and leads to bad information about the true nature of the problem.  If someone comes and shoots her significant other at work (IN THE WORKPLACE) – it is a workplace violence incident.

3.  Staff feels subtle pressure from management not to report every incident.
In my research, management wants every incident reported, every time, but
staff members report that their own direct supervisors may discourage them by not taking time to discuss these pre-incidents, and also by chalking up comments as merely office gossip.

4.  Not linking Human Resources with Security on the issue of Workplace Violence Prevention.  This is a management issue, but organizations that create bridges between HR and security are way ahead because this is one issue where cooperation makes a big difference in results.  HR can’t do a security assessment and security can’t write termination policies and set up employment screening. They are both absolutely necessary.

5.   Not doing an Annual Workplace Violence Assessment.  Since late 2008, when the economy suffered major job losses,  the number of workplace violence assessments have increased dramatically, especially in the healthcare field.  Annual assessments are best way to stay on top of the ‘potential’ for violence in your organization.

Check out one of our regularly scheduled webinars to learn more about this important issue.

 

REMEMBER – Workplace Violence is the one threat that is PREVENTABLE!

 

                                        — Caroline Hamilton

                                                                 Caroline.r.hamilton@gmail.com

                                                                 chamilton@riskwatch.com

 


                                  www.riskwatch.com

Using a Project Plan for your HIPAA Risk Analysis

Posted on by 0 Comments

When HIPAA first became a law, at the end of 1997, most healthcare organizations were so sure that it would be repealed or rescinded when Bush came into office, that they never quite got around to doing that first risk analysis.

Later, the risk analysis requirement got harder and tougher, when the Office of Civil Rights (OCR) added their guidance document in May 2010, and suggested that in addition to HIPAA Security and HIPAA Privacy, and the HITECH ACT, that organizations should also use NIST Special Publication 800-66 as a reference guide for the risk analysis and the protection of electronic Protected Health Information (ePHI).

The risk analysis has gotten more complicated, by the tightening of requirements, and by the need to include business associates, third party vendors, and an all-hazards threat approach.

Using a detailed project plan as you start the risk analysis is a good way to not only deal with the technical requirements, but also to inform management and stakeholders in the organization what a risk analysis includes, and to outline their potential participation.

There are different roles including IT users who will answer questions related to HIPAA control standards, management who will provide financial data and approve different values, and department managers, who will supervise their own staff and make sure they answer the surveys and cooperate with the analyst in a timely manner.

After the roles have been assigned, the data gathered, the reports approved, the project plan can be used to create the mitigation activites, a corrective action plan, and used to manage and track the new controls that are implemented.

If you’d like to see a HIPAA Project Plan, just email me at chamilton@riskwatch.com

 

 

 

 

 

 

 

 

Maine Hospital Fined by OSHA for Not Providing a Safe Workplace

Posted on by 0 Comments

The Acadia Hospital in Bangor, Maine was fined $11,700 by OSHA (Federal Occupational Safety and Health Administration) on January 26th, 2011 for failing to provide a safe working environment for employees and improperly documenting workplace injuries.

They were referring to the fact that staff at the hospital had been subject to 115 attacks by patients between 2008 and 2010.  The report went on to say, “”The serious citation points to the clear and pressing need for the hospital to develop a comprehensive, continuous and effective program that will proactively evaluate, identify and prevent conditions that place workers in harm’s way,” said Marthe Kent, OSHA’s New England regional administrator.

OSHA’s report on The Acadia Hospital was at least partially the result of hospital officials making a policy decision to not use restraints on violent patients.   In fact,  Acadia Hospital’s CEO, David Proffitt, Ph.D., was very proud of this policy, saying in a published article in 2010,  “I want to share something I think is very exciting. The last mechanical restraint recorded at The Acadia Hospital was on June 21st, 2009.  This is a big deal.  We set a goal to end mechanical restraints and you have done so. It reflects a commitment to be the best at what we do.  And it gets better…… Our adult rate of restraint has been well below the national mean since May of 2009. . That means we are now in the top 3% of best performing hospitals!  I hope that fact inspires great pride in your self, your co-workers, and this hospital.  I know it does me!”.

Obviously, the no restraints policy wasn’t so great for the nursing staff!

Additionally, the OSHA report ordered the hospital to implement procedures to better protect staff, including screening patients for violent tendencies and offering more staff training on how to use physical restraints, though it did not specifically order the hospital to use them.

In the last eighteen months, OSHA has fined only a handful of hospitals for workplace violence-related incident, including Danbury Hospital, which had a homicide, and Oregon State Hospital in Oregon, which was fined in November 2010 for failing to give staff members self-defense training for dealing with violent patients.

According to The Statesman Journal,  OSHA fined the hospital $3,750 for violating three major safety violations:

  • Failing to provide timely training for staffers to use shields as “a tool to protect employees from projectiles, riots, and to approach patients in order to secure them.”
  • Not reporting to OSHA that a worker was hospitalized in late January after being assaulted by a patient.
  • Lack of written verification showing that a “hazard assessment” had been performed to ensure employees were provided with adequate personal protective equipment.

Looks like OSHA is gearing up to take workplace violence incidents more seriously in the future.   One of the backstories is that hospital employees talk to their unions, and the union leadership contacts OSHA on behalf of the employees.

The increasing problem with workplace violence in hospitals makes it absolutely imperative to start with a comprehensive program to combat and prevent workplace violence.

The Risk Assessment – Live – and Cross-Cultural

Posted on by 0 Comments

I just got back from a great trip to the Middle East.  I spoke at a State Department conference (ISAC) Conference in Doha, Qatar and then did a full risk assessment of a large hospital in Abu Dhabi.   Besides that I loved the food, and loved the people, and came home with lots of beautiful earrings and bangles and perfume.

The great insight I got on this trip was that security problems are exactly the same everywhere… they are not based on sex, race, nationality, gender, religion, hair color, height,  politics, or anything else.   Maybe this is why the TV show “The Office” is a worldwide hit.   Organizations work the same way all over the world.  As a person who got her degree in cultural anthropology of all things — I am amazed less at the differences than I am in the similarities between organizations.

This is my 17th country that I have visited to do a security risk assessment and they all come down to these basic steps: 

1.  Identify what you want to assess.   Many times you need to cut down the proposed assessment, it doesn’t need to include things that are 10 miles away.

 2.  Write up a Project Plan to show other people what you’re doing to do – and give management a time line to work with.  (It keeps me focused – a value add).

3.  Find the dollar VALUE for whatever you are assessing, for example — How much is the facility worth?   What’s the value of one patient record – two dollars or two thousand dollars?

4.  Come up with a realistic threat profile that includes the local crime rate, some historical data for crime, cyber crime, natural disasters, fire, etc.

 5.   Ask other people in the organization how they handle security.   I like using our automated surveys because it captures more immediate data from individuals.  You can use a translator if you don’t speak the language and I guarantee you’ll be amazed at the results.  The more people you interview – the more amazing the results will be.

6.   Examine all the existing controls and see how they are being used in other areas of the organization,  are they 100% implemented?   80%?   50?  Even less?

7.  Analyze the results with good math.  This is commonly done by software, but you can also use a regression analysis model with a database program like Access –   don’t guess.    Let the numbers do the talking.

8.   Write up a simple report, illustrated with lots of color graphs and photos, so someone  can just page through the report and understand what the assessment revealed.

The best risk assessment report in the world is a waste unless it comes up with actionable results — the list of what the organization needs to do NEXT.  Some people call them After Action Reports, maybe they are called Corrective Action Reports, maybe they are called a Task List.  The name doesn’t matter, but the results matter.

The report should cover the basics of what you did, what areas you reviewed, who you talked to (or got answers from with a survey), and what you recommend should be done, based exactly on the risk assessment.  In banking and financial companies, the regulators already get the last risk assessment and ask the organization to show “where in the risk assessment did it say you should add a stronger firewall?  add a better camera system to the Emergency Department?  do background checks when you hire new people?

These are just examples,  any improved control could be used – but you will need to show the regulator exactly WHERE in the risk assessment it said you should do this or that.     In the follow up Blog – I’ll talk about how to present your findings to your management.

The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

Posted on by 0 Comments

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

  1. The Cost of the Original Rig and Drill Equipment – $500,000,000
  2. The Value of the Lives of the 11 workers who died –    25,000,000
  3. The Value of the Oil itself, with replacement value
    (5 million gallons at  $2.00 per gallon = $10 million dollars)
  4. BP’s Reputation as a good company – $2 million
  5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

  1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
  2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

  1. New,  untried technology
  2. No recovery plan if secondary shut offs fail
  3. Difficulty of working on deep ocean
  4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.