Data security risk assessments are a requirement for all organizations covered under the Health Insurance Portability and Accountability Act (HIPAA), as well as those working to achieve meaningful use compliance. While most organizations are clear on their regulatory obligations, few understand how to effectively implement an assessment and act on the results to reduce their overall risk.[See also: HIPAA remains in play as technology outpaces privacy protections]
Kroll Advisory Solutions, which specializes in risk mitigation and response, advises a variety of clients on designing and conducting healthcare risk assessments that keep covered entities both in compliance and informed about what is lacking in their data security plans. Based on that experience, Kroll offers the following 7 recommendations for making the most of a HIPAA risk analysis.
1. When preparing your team, cast a wide net. To get the most comprehensive assessment possible, you’ll want to ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas – from IT and operations to human resources, compliance and legal to other key supervisors or managers. Once you’ve identified these stakeholders, establish protocols for tasks, timelines and communication among the team, just to make sure everything runs smoothly.
2. Fully scope the risk assessment. Do you know what your compliance obligations are? The HIPAA Security Rule requires “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI) held by the covered entity.” However, if you are working on attesting to Stage 1 meaningful use, your focus will likely be narrowed to that which specifically applies to your certified electronic health record (EHR) technology. For Stage 2, you will need to ensure that you have addressed encryption and/or security of data at rest. Regardless of your compliance requirements, make sure the scope of the assessment is clearly defined, and that your team understands and recognizes their focus.[See also: EHR-using physicians affirm the power of exchanging health information]
3. Take stock of your data. One of the key components of any assessment is determining how PHI and EPHI are received, stored, transmitted, accessed or disclosed. Once you have fully scoped your assessment, you can begin gathering the relevant data – a good place to start would be reviewing past or existing projects, performing interviews, reviewing documentation or using your organization’s standard data-gathering techniques, if applicable. Be sure to include data that might be stored with a business associate or third party, or on removable media and portable computing devices. As part of the process, you’ll want to document your methods used to gather EPHI or PHI.
4. Address anticipated or known vulnerabilities. It’s likely that you already have identified potential vulnerabilities and addressed the likelihood they would be exploited by a potential threat source. If they fall into the scope of your assessment, you’ll want to document this beforehand. The HIPAA Security Rule requires you to take into account the probability of potential risks to EPHI, which – taken into consideration along with the results of your assessment – will assist you in identifying “reasonably anticipated” threats that you will be required to address.
5. Document, document, document. Even though it has been mentioned already, the importance of proper documentation cannot be stressed enough. HHS will require analysis in writing, and the material you’ve gathered throughout your risk assessment will meet that requirement, along with your documentation of the corrective actions taken to remediate any problems uncovered by the assessment.
6. Be prepared for follow-up after the risk assessment is completed. This is critical, particularly for those attesting to meaningful use; a risk assessment isn’t enough. An organization must be willing to “implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” Failure to address identified security gaps and vulnerabilities puts the organization at risk and subject to corrective action.7. Regularly check on your progress. As a final note, the Department of Health & Human Services recommends performing risk assessments periodically, particularly after a change in technology or business operations that could adversely affect the security of your PHI or EPHI. Make sure your team is prepared for this ongoing responsibility. Conducting regular risk assessments can potentially stave off vulnerabilities and incidents that could ultimately lead to a data breach, making it a best practice for any organization looking to manage risk.