How to Conduct a Rigorous Security Risk Analysis
By Bob Chaput, CEO of Clearwater Compliance LLC
Last year, HIPAA privacy, security and breach notification rules were made applicable not just to healthcare covered entities (payers, providers and clearinghouses) but to business associates as well.1
The HIPAA Security Rule now requires all healthcare organizations and business associates to conduct a thorough security risk analysis to determine exposures that may lead to the compromise of the confidentiality, integrity or availability of patients’ electronic Protected Health Information (ePHI) 2. A comprehensive risk analysis is also required in order for certain providers to receive incentive payments for Meaningful Use Stage 1 and 2.
On the Health & Human Services’ “wall of shame”, as of this writing, there are now 682 healthcare organizations and 156 business associates responsible for impermissible disclosure of PHI.3 Business associates alone have accounted for the disclosure of nearly 13 million patient records. And many of these business associates are household names like IBM Global Services, KPMG and Booz Allen Hamilton.
The financial penalties and PR damage from these security violations are growing more serious every day. For example, WellPoint, one of the nation’s largest health insurers, recently settled an ePHI breach case with the HHS for $1.7 million and was cited for not having completed a risk analysis.4 And then there’s the case of Affinity Health Plan, which left patient information on a copier machine purchased by CBS News, leading to a $1.2 million settlement with HHS.5
Yet even with consequences that dire, many healthcare organizations are confused about how to conduct a rigorous security risk analysis. While physicists have a shared lexicon of terms like gravity and acceleration and what they mean, there are no standard definitions in the risk assessment field. For instance, some companies think that a risk analysis is synonymous with a security assessment or a so-called penetration test-a definition that’s woefully inadequate.
While there are competing risk methodologies and benchmarks, one stands as the most time-tested and effective: the guidelines from the National Institute of Standards and Technology (NIST). That’s because the NIST approach involves a formal process for assessing risk based on assets, threats, vulnerabilities, controls, likelihood and impact.
Until recently, it’s been prohibitively expensive and time-consuming to conduct a rigorous NIST-style risk analysis because the job is too difficult to handle manually. But now there are cloud-based software solutions that are both comprehensive and easy to use. Step by step, these tools walk healthcare organizations through every facet of risk analysis-and help operationalize the entire compliance program. Risk analysis is not a “once and done” task; it’s a process that gets stronger over time.
Cornerstone of a Quality Program
There are essentially two ways to look at healthcare privacy and security lapses. One is to attempt to minimize the negative impact of complaints and security breaches when they occur. The other is to conduct a thorough risk analysis as the foundation for a quality program aimed at improving patient care, member care (from the health plan perspective) and customer care (from the business associate viewpoint).
The latter approach is far more effective because it sends an important message: your privacy and security are so important to us that we’ve taken NIST-caliber steps to ensure that privacy and security violations don’t happen in the first place. There are about 700,000 covered entities in the U.S., and only 115 were audited as part of the new HITECH Act-mandated HIPAA audit program last year.6 68% had adverse findings when it came to completing a risk analysis. It’s also important to note that every organization that was investigated and entered into a settlement agreement with HHS since 2009 failed to conduct a risk analysis beforehand or to update an existing risk analysis.
Automating a NIST-Style Risk Analysis
Using SaaS tools available today, here’s how healthcare organizations can conduct a NIST-caliber risk analysis:
Understand your assets-This is the easiest part of the process because patients’ health records are the vital assets you need to first identify, then protect. It’s critically important to safeguard the confidentiality, integrity and availability of those assets. Some risk analyses focus solely on PHI leaks and overlook the accuracy and availability of that data. If a patient’s blood sugar level is incorrectly entered-or if vital information can’t be accessed promptly-then improvements need to be made.
Risk depends on threats-These come in four varieties: adversarial, accidental, structural (IT systems and processes) and environmental (such as fire, flood and tornado).
Risk depends on vulnerabilities-Most vulnerabilities involve a void or deficiency. Some common examples would be: lack of a strong password, lack of encryption, and lack of security policies and effective training.
Risk depends on controls-Your organization’s efforts to mitigate risk fall into three primary categories: administrative controls (e.g., policies, procedures, training), technical controls (such as firewalls, encryption) and physical controls (like locks, cameras).
Risk depends on the likelihood of a threat exploiting a vulnerability-Nearly 40,000 laptops get lost or stolen in the U.S. every week. There’s a strong likelihood that it can happen to one of your employees’ laptops or other mobile devices containing ePHI, hence it’s a significant risk.
Risk depends on the impact of loss-If one of your employees loses a laptop containing more than 500 patient records, HIPAA’s Breach Notification Rule requires that you notify all affected individuals, HHS and all major media outlets without undue delay and in no case greater than 60 days. That’s a grave impact that pales in comparison with losing a laptop containing an employee newsletter.
Taking into account all the possible ePHI assets an organization manages, along with all the possible threats, vulnerabilities and controls that may apply makes the task of considering all possible risks daunting. In fact, the permutations of asset-threat-vulnerability combinations grow rapidly into the millions. The time has come for software-assisted risk analysis.
Simplifying a Complex Job
Fifty years ago, safeguarding PHI involved little more than locking a file cabinet. Now it’s exponentially more difficult because of the Internet, file sharing and mobile devices. A recent study found that 72% of physicians surveyed use a tablet device for professional purposes.7 And that’s not counting the hundreds of other places where ePHI lives in organizations.
The best way to grab the carrot (Meaningful Use incentives) and avoid the stick of six-figure fines (and potentially even bigger judgments in civil suits) is to conduct a thorough, NIST-caliber risk analysis and make it the cornerstone of your compliance program. A comprehensive risk analysis involves far more than beefing up your passwords and protecting your IT systems from hackers. It’s a process made much easier with cloud-based software tools that help prioritize threats and vulnerabilities – and ensure that there are no glaring omissions in your compliance program.
References
- Healthcare Finance News, Jan. 18, 2013.
- 45 CFR §164.308(a)(1)(ii)(A) Risk Analysis.
- HHS website: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
- HHS press release, Jul. 11, 2013.
- HHS press release, Aug. 14, 2013.
- HHS website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
- “Taking the Pulse – U.S. 2013” from Manhattan Research.
About the Author: Bob Chaput is CEO of Clearwater Compliance, a HIPAA/HITECH advisory firm based in Brentwood, Tenn.
This article was originally published on ExecutiveInsight and is republished here with permission.