A Quick Expert Conversation About Gap Assessment

Posted on January 8, 2020 by Brent Huston

Gap Assessment Interview with John Davis

What follows is a quick interview session with John Davis, who leads the risk assessment/policy/process team at MicroSolved. We completed the interview in January of 2020, and below are the relevant parts of our conversation.

Brent Huston: “Thanks for joining me today, John. Let’s start with what a gap assessment is in terms of HIPAA or other regulatory guidance.”

John Davis: “Thanks for the chance to talk about gap assessment. I have run into several HIPAA concerns such as hospitals and health systems who do HIPAA gap analysis / gap assessment in lieu of HIPAA risk assessment. Admittedly, gap assessment is the bulk of risk assessment, however, a gap assessment does not go to the point of assigning a risk rating to the gaps found. It also doesn’t go to the extent of addressing other risks to PHI that aren’t covered in HIPAA/HITECH guidance.”

BH: “So, in some ways, the gap assessment is more of an exploratory exercise – certainly providing guidance on existing gaps, but faster and more affordable than a full risk assessment? Like the 80/20 approach to a risk assessment?”

John Davis: “I suppose so, yes. The price is likely less than a full blown risk assessment, given that there is less analysis and reporting work for the assessment team. It’s also a bit faster of an engagement, since the deep details of performing risk analysis aren’t a part of it.”

BH: “Should folks interested in a gap assessment consider adding any technical components to the work plan? Does that combination ever occur?”

JD: “I can envision a gap assessment that also includes vulnerability assessment of their networks / applications. Don’t get me wrong, I think there is immense value in this approach. I think that to be more effective, you can always add a vulnerability assessment to gauge how well the policies and processes they have in place are working in the context of the day-to-day real-world operations.”

BH: “Can you tie this back up with what a full risk assessment contains, in addition to the gap assessment portion of the work plan?”

JD: “Sure! Real risk assessment includes controls and vulnerability analysis as regular parts of the engagement. But more than that, a complete risk assessment also examines threats and possibilities of occurrence. So, in addition to the statement of the gaps and a roadmap for improvement, you also get a much more significant and accurate view of the data you need to prioritize and scope many of the changes and control improvements needed. In my mind, it also gets you a much greater view of potential issues and threats against PHI than what may be directly referenced in the guidance.”

BH: “Thanks for clarifying that, John. As always, we appreciate your expert insights and experience.”

JD: “Anytime, always happy to help.”

If you’d like to learn more about a gap assessment, vulnerability assessment or a full blown risk assessment against HIPAA, HITECH or any other regulatory guidance or framework, please just give us a call at (614) 351-1237 or you can click here to contact us via a webform. We look forward to hearing from you. Get in touch today!

Prescription pharmacy bags – do you just trash them?

Posted on July 6, 2018 by Johnny Chuah

When you get your prescription filled at a pharmacy, the medication is usually dispensed in amber colored pill bottles packaged in a pharmacy paper or plastic bag. Once the medication has been consumed, many discard or recycle the bottles.

There have been several articles on how to remove the sensitive information contained in the medication labels on the bottles. The information include the patient’s name and address, name of doctor and medication details. Recommended methods of removing the information include striking them out with a marker pen or removing the label. Some locations will accept the bottles and remove the labels and information for you, and recycle the bottles.

However, nothing is said of the pharmacy paper or plastic bag that the pill bottles come in when you get them from the pharmacist. When I get my meds from the pharmacist – from a big name national grocery store – I am asked for identification to receive them. I am asked of my name and phone or birthdate, and they verify with the information printed on the bag.

Most people are not aware of or don’t consider the information on the front of these bags. The information can be much more sensitive than what’s on the pill bottle labels. These bags are thrown in with the trash, never shredded. That leaves the information vulnerable to dumpster divers and identity theft.

The pharmacy bags the big grocery store dispenses the prescriptions in are sealed plastic bags. I can’t shred them so I stretch and tear the plastic to destroy the information. Most people will not take the trouble to do that. I have spoken with the pharmacist at the location I pick up my medications at with my concerns. Their process is obviously not up to him but perhaps he could pass on the concerns.

Take note of the label information your medications come in, not just the pill bottles but the pharmacy bag. Your private information is not only on the pill bottles but on the bag when they hand you your meds. Dispose of these packaging appropriately.

Resources:

http://rxoutreach.org/education-understanding-prescription-medication-labels/

https://www.popsci.com/old-medications-prescriptions-disposal

There’s Still Treasure in the Trash

Posted on July 2, 2018 by Adam Hostetler

Most businesses have processes and policies for handling sensitive data on paper, whether thats selectively shredding papers or shredding everything, along with training about what goes in trash bins and what goes in shredding bins. However, how many are ensuring that these policies and processes are being followed? Brent asked

When was the last time you did a dumpster dive or wardial against your organization? You know these old school tactics still work, right? Yeah….

— L. Brent Huston (@lbhuston) June 27, 2018

Which got me thinking about this. I couldn’t remember the last time an organization actually asked us about it beyond reviewing policies. I know this problem didn’t disappear, even as we move more and more away from paper. Paper still gets used, people write stuff down, things get printed, and no solution completely ensures that that paper doesn’t end up in the wrong bin. I know from doing it. I found something useful in almost every engagement that we’ve done in the past, whether it was an administrative password, or contact information that I can use for phishing.

Recently, some researchers performed a trash inspection of some hospitals in Toronto. What they found didn’t surprise me. They found PII and PHI, a good bit of it. A resident in Palolo Hawaii found these too. A nuclear security complex was found to be dumping trash that had classified documents in it. None of these were reported breaches, just there for the taking. Who knows if anyone malicious found them too?

Let’s keep working on the most prevalent topics of the day, such as phishing defense and training, but we can’t forget all of the things that were an issue in the past, because they’re still an issue now even if they’re not making the big headlines in the current moment.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Healthcare