Mobile Health And Apps (mhealth) How to design Application for medical App.pptx
McMahon & Associates Risk Management Strategy
1. McMahon & Associates Clinical
Services Risk Management Strategy
Matthew J McMahon
Cybersecurity in Healthcare Administration
Salve Regina University
May 04, 2017
2. 2
Contents
Executive Summary……………………………………………………………………...…..........3
About McMahon & Associates Clinical Services…………...………..………………….….........3
CHAPTER ONE. Reducing Third Party Risk…………………………………………...…..........3
CHAPTER TWO. Cyber Insurance…………...……...……………………………………...........4
CHAPTER THREE. Workforce Development….……...…………………………………............5
CHAPTER FOUR. Risk Management Frameworks………………….…………..………............6
CHAPTER Five. Secure Data Usage...….……...…………..……………………….....................7
Conclusion……………………………..………………………………………………………….8
Revision History…………...………………………..…………………………………………….8
3. 3
Executive Summary
In today’s day and age, cyber-attacks on hospitals are becoming more and more
prevalent. Of all of the United States Critical Infrastructures the healthcare sector is the most
targeted by persistent cyber-attacks.1 In a threat landscape where a medical record sells for ten
times on the dark web what a credit card record does it is imperative that McMahon &
Associates Clinical Services create and implement a comprehensive Risk Management Strategy.2
About McMahon & Associates Clinical Services
McMahon & Associates Clinical Services is a small, twelve provider clinical counseling
service which resides in a small office located at 123 Main Street in Sharon, Massachusetts. The
organization rents office space in the same building as a law firm and a doctor’s office but is
separated from these businesses by two sets of locked steel doors. The office receives patients
on an appointment only basis and operates between the hours of 8:00 AM EST and 8:00 PM
EST. The facility utilizes the Athena Health cloud based software platform for clinical
documentation, scheduling, routine paperwork and billing purposes. It also utilizes Outlook for
email.
CHAPTER ONE
Reducing Third Party Risk
McMahon & Associates Clinical Services has opted to utilize Athena Health as their
cloud based clinical documentation, scheduling and billing software solution. An extensive cloud
usage strategy report has already been completed in McMahon & Associates Clinical Services
Cloud Usage Strategy Report.3 This risk management strategy paper will only touch on
applicable highlights from that report. The McMahon & Associates Clinical Services Cloud
Usage Strategy Report, extensively details the criteria used for selecting Athena Health among
the other vendors that were reviewed.4 Chilmark Researches’ EHR Vendors’ Capabilities for
Interoperability, report was an essential tool in comparing and contrasting Athena Health with its
ten closest competitors in terms of data privacy and security compliance, secure connection
controls, pricing structure, customer reviews, satisfaction ratings and overall functionality.5
1 Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn From the OPM Breach. Institute for
Critical Infrastructure Technology. (January, 2016)
2 See note 1 above.
3 McMahon,Matthew. McMahon & Associates Clinical Services Cloud Usage Strategy Report. April (2017)
4 See note 1 above.
5 Chilmark Research. EHR Vendors’ Capabilities for Interoperability. July (2015)
4. 4
The driving force in the choice of Athena Health was its ability to essentially eliminate
the need for a traditional IT department.6 This not only reduces overhead but also liability
associated with maintaining and securing a traditional IT infrastructure.7 The solution utilizes
the software as a solution (SaaS) cloud model which allows for varying levels of role based
access.8 Providers access and enter patient health information (PHI) only after accessing the
password protected, secure (https) Athena Health website over a secure internet connection.9
While Athena Health is typically thought of as a small electronic medical record (EMR)
provider in light of it’s much larger competitors such as MEDITECH, EPIC and Cerner its
market share entails servicing over 62,000 providers and is steadily growing. Athena Health’s
interfacing capabilities are well demonstrated with over 30 strategic interfacing partners and a
fulltime dedicated interface team to build new links from Athena to other third party software
vendors.10
Before making the final decision to choose Athena Health as the SaaS cloud based EMR
vendor for McMahon & Associates a risk assessment was completed per the specifications laid
out by the National Institute of Standards and Technology (NIST.)11 This risk assessment
included visiting the Athena Health facilities located at 311 Arsenal Street in Watertown,
Massachusetts where decision makers were given a tour of the campus and provided detailed
descriptions of secure offsite data storage facilities.12
After reviewing the vendors applicable security documentation for its SaaS cloud based
EMR system which included the industry standard manufacturers disclosure statement for
medical device security (MDS2) and product specific security whitepaper, which have been kept
on file, it was determined that the software solution meets all relevant regulatory compliance
measures defined in the Health Information Portability and Accountability Act (HIPPA) and the
Health Information Technology for Economic and Clinical Health (HITECH) Act.13
CHAPTER TWO
Cyber Insurance
Cyber liability is a major concern for healthcare providers. Most general
healthcare provider insurance policies exclude liability coverage associated to cybersecurity.14
Cybersecurity insurance is filling this gap and will drastically change the hospital IT landscape,
improving patient privacy protections and underwriting the risk associated with operating a
6 ClearDATA. Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud.
7 See note 5 above.
8 Cloud Computing Standards Council. Impact of Cloud Computing on Healthcare. November (2012)
9 Murphy,Sean. Healthcare Information Security and Privacy. Frankfurt: Wall Street Journal, March 5 (2015)
10 Athenahealth . What Cloud-based Services Can Do for Your Medical Practice Whitepaper. January (2012)
11 See note 3 above.
12 AthenaHealth Website https://www.athenahealth.com
13 See note 3 above.
14 Schinnerer, Victor O. Protecting Hospitals and Healthcare Operations from
Cyber Liability. Healthcare Report . (2011)
5. 5
healthcare organization.15 General security requirements as a precursor to insurability and the
ability to conduct timely and efficient security audits will revolutionize the healthcare sector in
the future, driving new legislation and best practice guidance.16
Some liability is transferred from McMahon & Associates to Athena Health by the use of
a third party, cloud based SaaS EMR system, hosted by Athena Health as Athena then becomes a
“business associate,” of McMahon & Associates and inherits certain responsibilities for data
protection under HIPAA.17 Even with the utilization of a third party cloud based EMR the
acquisition of cyber insurance is strongly recommended. It has the potential to cover the
organization should PHI be compromised via Outlook or other business tools or if office
property is stolen and breached. Cyber insurance may also cover a breach or data loss by a third
party or business associate such as Athena Health.
It should be noted though that irresponsible data protection behavior such as sending PHI
data via unencrypted email or leaving an unencrypted laptop is a car which is then stolen may
not be covered by cyber insurance as the incident does not meet the insurance provider’s
minimum protections requirements.
CHAPTER THREE
Workforce Development
In the cybersecurity realm the weakest link is often the human factor. In response to this,
even a small twelve practitioner clinical office needs to incorporate a cybersecurity workforce
development program. In the industry currently there is a massive shortage of skilled
cybersecurity professionals.18 This shortage makes internal training programs all the more
imperative. As McMahon & Associated is a small office the third party online cybersecurity
vendor Pluralsight will be utilized for employee cybersecurity training with specific courses
required at the beginning of their employment and refreshers every six month thereafter.19
The vendor offers comprehensive security trainings delivered in an interesting and
interactive video format. The Pluralsight requirements for employees will be managed by
President and defacto IT manager Matthew McMahon. Coming from the corporate
cybersecurity realm, Matthew holds various certifications in the security realm and regularly
stays abreast of new security developments and trends by attending regular security conferences
as well as subscribing to popular security publications.
Another important component of training is the consideration of third parties training
processes, evident by the now infamous Target hack that was the result of an improperly trained
15 McArdle, Jennifer. Incident Response and Cyber Insurance.(Presentation, Salve Regina University, Newport, RI
2016)
16 Yaraghi, Niam. Hackers, Phishers and Disappearing Thumb Drives: Lessons Learned From Major Healthcare
Breaches. Brookings. (May 2016.)
17 See note 9 above.
18 Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills. Intel Security.
19 Pluralsight. https://www.pluralsight.com/
6. 6
third party vendor employee clicking on a link in an email that launched an attack.20 Having
extensively accessed the security training methods of Athena Health employees via Athena’s
product security whitepapers it appears that the company has done its due diligence in training its
employee’s in cyber protections.21
CHAPTER FOUR
Risk Management Frameworks
McMahon & Associates Clinical Services understands that a large part of staying secure
means keeping up to date with industry standards. The organization recognizes and adheres to
the following security policies; Common Security Framework (CSF,) Health Information Trust
Alliance (HITRUST) as well as the International Organization for Standardization (ISO.)22
Employee security trainings specifically target covering content recommended by these advisory
bodies.
The organization also aims to adhere to all relevant legislation, FDA guidance documents
and mandates. Notably these documents include Executive Order 13636 which calls for the
protection of our nation’s critical infrastructure, to include the healthcare sector.23 This
Executive Order directly contributed to FDA Guidance documents that describe medical
software and device best practices; Postmarket Management of Cybersecurity in Medical
Devices, Guidance for Industry and Food and Drug Administration Staff24 Also, pertinent is
Executive Order 13691 which calls for the sharing of cyber defense information among
government entities and for-profit companies.25 While McMahon & Associates has not directly
engaged in the sharing of security related information in an industry forum it realizes the
eventual need for this and will participate in future discussions with other small businesses and
government entities.
While there has been some debate on this McMahon & Associates concludes that medical
software (Athena Health) should be classified as a “medical device,” and in so doing also
adheres the following FDA Guidance documents that describe best practices; Postmarket
Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug
Administration Staff26 as well as the Guidance for Industry Part 11, Electronic Records;
Electronic Signatures, Scope and Application. The NIST document Framework for Improving
Critical Infrastructure Cybersecurity is also relevant27 In addition to these general guidance
documents McMahon & Associates has adopted the Advanced Cybersecurity Group List
20 Ormes, Eric and Herr, Trey. Understanding Information Assurance. (October, 2016)
21 See note 9 above.
22 See note 4 above.
23 Executive Order 13636—Improving Critical Infrastructure Cybersecurity
24 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug
Administration Staff
25 Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing
26 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug
Administration Staff
27 FDA. Framework for Improving Critical Infrastructure Cybersecurity
7. 7
Checklist, as it model for measuring and quantifying risk assessment and used this form during
the review process of Athena Health as it’s SaaS cloud based EMR solution.28
McMahon & Associates regularly conducts security threat and risk assessments (TRA’s)
on the tools it utilizes such as Athena Health for clinical documentation as well as Outlook for
secure email among others. When completing these assessments it uses the Common
Vulnerability Scoring System v3.0.29 These TRA’s are completed by President and defacto IT
manager Matthew McMahon, whom congruent with risk management framework guidance has
been deemed the responsible person to manage cyber security for the system. In his absence,
responsibility and decision making in the realm of cyber security are passed along to company
Vice President Carl Jung who has been properly trained as the Presidents backup and currently
holds the following certifications: CompTIA Security +, Network + and has attended the SANS
SEC401 Security Bootcamp course.
CHAPTER Five
Secure Data Usage
Secure data usage is a top priority for McMahon & Associates. A study recently
completed by the Ponemon Institute showed that of employees sampled over one third admitted
that they were aware of coworkers that were not adhering to proper data usage company policies
and sharing restricted data outside of their companies firewall.30 To assure data protection the
organization has crafted its data usage policy to closely follow the CIA triad of Confidentiality,
Integrity and Availability of data.
Security relating to confidentiality is partially handled by our business partner Athena
Health that manages the EMR. Because of this relationship Athena Health is responsible for
securing all hardware and database configurations. McMahon & Associates responsibilities rely
on assuring secure access and proper access control utilizing the least privileges model. Users
accessing Athena Health’s online portal should create robust passwords that are regularly
updated.31 Employees no longer in the employ of McMahon & Associates should have access
immediately revoked.
PHI should also only be emailed when absolutely necessary and when necessary utilize
encryption and two factor authentication which requires both a password and public key
identification (PKI) card to access. All paper PHI should be shredded. All company phones and
laptops used to access patient data shall utilize encryption. McMahon and Associates has a firm
no bring your own device (BYOD) policy for accessing patient data.
The integrity component of McMahon & Associates data usage policy is again largely
handled by our business associate Athena Health who utilizes checksum technology to assure
data entered by a software user is uploaded correctly. The utilization on an EMR is in itself a
28 Spidalieri, Francesca and Hancock, Geoff. Advanced Cybersecurity Group List Checklist. (May 27, 2015.)
29 Common Vulnerability Scoring System v3.0 Specification Document. www.First.org
30
Breaking Bad: The Risk of Unsecure File Sharing. Ponemon Institute. (October 2014)
31 McArdle, Jennifer. Cybersecurity Fundamentals and Digital Health Information. (Presentation, Salve Regina
University, Newport, RI 2016)
8. 8
method to protect the integrity of data. All data is entered into the Athena Health system and
displayed clearly. Audit logging shows who entered data and when. Most data is not able to be
edited but if editing is allowed for certain features such as clinical notes that information is
logged and auditable.32
The availability component of the triad was one of the main driving factors in deciding to
utilize Athena Health as an EMR. McMahon & Associates data is backed up to several different
databases on various secure servers scattered around the globe so the risk of the software being
unavailable is unlikely. In the event of the software system being down staff are to return to a
paper documentation system until the system is back online. As the office is a clinical
counseling practice and does not practice emergency medicine, nor does it administer medication
the risk associated with documenting on paper is minimal.33
Conclusion
It is the goal of McMahon & Associates Counseling Services to not only provide the
highest quality of clinical care to our customers but to also prioritize the security of our
customers protected health information. It is our belief that this risk management strategy report
is a step towards that goal but understands that to achieve a robust security posture an
organization and its policies must be fluid and keep up with the threat landscape. This document
is meant to be general guidance and not an all-encompassing.
Review Process
This document shall be reviewed and updated once a year during the month of May. A record of
reviews, edits and updates shall be recorded below for posterity.
Revision Date
Author(s)
(Changed By)
Change(s)
00 2017-05-04 Matthew J McMahon Initial version
01
02
03
32 See Note 5 Above.
33 Ibid.