Does your SRA include something like COVID-19? Your business continuity plans include it? Do you need an SRA that includes virus outbreaks? Yes, you do. If your risk analysis didn’t include these kinds of things you should revisit your method for doing an SRA. What should you do about this risk and what else is missing from your SRA? Let’s talk about privacy, security and COVID-19.
I am on a lot of lists that discuss general cybersecurity, privacy as well as other medical management topics. This week they have been full of discussions about what should be included in the plans specifically for COVID-19 aka novel coronavirus. As expected from those in this industry it must be taken very seriously and concerns include supplies of hazmat suits, containment, disinfection, and more. What we had to add to the plans were discussions about telehealth implementation and more bandwidth for remote workers.
Yes, we are going to discuss the things we think you should have in your plans to address these issues. But, it is important to note that this should already be something you have considered or discussed in your standard SRA. As we have mentioned many times a lot of these check the box SRA tools and methods do not have you actually consider the impact of these kinds of threats. Today we can clearly see why they should be there.
SRA Threat Lists
When we do an SRA we include all kinds of threats and vulnerabilities. Sometimes we get comments like “do we really have to worry about all of these things”. Well, let’s take the latest global threat as a teaching moment.
A HIPAA security risk assessment is supposed to evaluate all threats and vulnerabilities to the confidentiality, integrity, and availability of PHI. We are not just supposed to evaluate the network and technology threats but ALL threats and vulnerabilities. When you do an IT-only SRA you may be missing some major threats. The Kardon SRA threat list is created by comparing lists from different sources and our experiences. NIST, HITRUST, and others provide threat catalogues.
When we consider flooding we don’t just consider the flooding most people think about when they first do their review. Flooding could be from the rivers, creeks and lakes or even from hurricanes and the ocean. At least, that is the first thought most people consider as a threat. What about flooding from a tree coming through the roof or the roof being ripped off? Even better, what about flooding caused by plumbing issues in your office? How about plumbing issues in offices above or next to yours in a building? These are all flooding events but they are all different threats of flooding. If we ask someone who only thinks of the first case what the likelihood would be they may say we are in the desert so the likelihood is negligible. If we throw in all the other possible threats you can no longer instantly assume this is such a minor possibility.
When we ask people to consider the impact of a flu outbreak we get a lot of yeah right kind of responses. Now, we see why we ask you to consider it a threat and consider having a plan not only for the medical concerns but the privacy and security issues it involves also. Please, review how you are doing your SRAs and remember this isn’t just about the common technical threats IT worries about but also about the big picture of the world we live in today. There are more threats coming from real people for most organizations than there are from some hacker in a hoodie. Those threats do exist, they are very real and very possible but they should not be the only things you consider.
What should your plan include for Privacy, Security, and COVID-19 outbreaks?
- Remote access bandwidth and equipment
- Reduced staff due to illness or taking on additional task
- What about the increased volume of cases coming into the office
- Clean surfaces matter – mouse, keyboards, touch screens
- Privacy please – don’t chat with anyone if you think you have a case. ONLY information should go to public health agencies not your neighbors, not FB, not your spouse, not your best friend.
- The rules and precautions for privacy and security don’t get thrown out the window until the outbreak passes – see above
- Criminals note that you are distracted, they do not care about people just because there is an outbreak of illness just like a holiday they will be attacking. The rise of targeted attacks should be referenced.
- Ability to manage panic amongst staff so they aren’t blowing up your bandwidth researching, chatting, sharing, streaming, etc if there is an issue
It is important to keep in mind that this crisis will not be the last time you will experience an event you thought would never happen. Having one event like this is very overwhelming to all of us. The more we plan for the unexpected in the future the better off we all will be. Hang in there folks!