Fundamental Guide to HIPAA Security Risk Assessments

By Ken Reiher, VP Operations, ComplyAssistant
Twitter: @ComplyAssistant

Conducting regular HIPAA security risk assessments helps covered entities ensure compliance with HIPAA’s administrative, physical and technical safeguards, and helps expose areas where an organization’s protected health information (PHI) could be at risk.

In today’s digitized healthcare environment, there is no limit to the places where protected health information (PHI) resides, and the associated risk that comes with it. Over the past several decades, the value of ePHI has increased exponentially, which is why the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires periodic security risk assessments be conducted by covered entities (CEs) and business associates (BAs).

Performing consistent HIPAA security risk assessments helps organizations ensure compliance with HIPAA’s administrative, physical and technical safeguards, and helps expose areas where an organization’s PHI could be at risk. In addition to conducting assessments, healthcare organizations must establish rigorous controls and governance to mitigate risks identified during the security risk assessment.

This fundamental guide on HIPAA security risk assessments will walk you through the essential components of performing assessments, and what to do with them once complete.

What is the purpose for performing HIPAA security risk assessments?
HIPAA security risk assessments are mandated under HIPAA. Every CE is required to conduct them periodically. The Rule does allow for some level of flexibility in how each organization tailors its assessment, based on circumstances and environment, using factors such as:

• Size, complexity and capabilities of the covered entity
• The covered entity’s technical infrastructure, hardware and software security capabilities
• The probability and criticality of potential risks to ePHI
• The costs of security measures

In addition, performing regular HIPAA security risk assessments will ensure that CEs are prepared in case of an audit by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR will request to see key documentation, including:

• When the most recent HIPAA security risk assessment was performed
• Which risks were mitigated in risk-level order
• Any HIPAA policies and procedures are in place
• Evidence and documentation of key activities
• Protocols and controls in place

Most importantly, the primary focus of HIPAA security risk assessments for both CEs and associated BAs should be to protect the confidential and private information of their patients.

Why are security risk assessments important for healthcare?
In the 1970s, PHI was only accessible in a few places, and it really wasn’t worth stealing. By the 1990s, that changed with the advancement of technology and networks. Local and wide area networks, distributed servers and smart workstations made data access more efficient, but also significantly increased the number of locations of PHI. The first cases of selling PHI increased its potential value and, thereby, the motivation to steal it.

With the 2009 Affordable Care Act and the movement to electronic health records, healthcare became a primary target for cyber attacks, so CEs had to evolve their approach to security risk management.

Today, under HIPAA regulations, CEs are obligated to protect their own operations and information, along with that of their BAs who have access to PHI. A single hospital could have hundreds of business associate agreements (BAAs), a number that is significantly higher for multi-location and national health systems. HIPAA security risk assessments enable CEs to evaluate both internal and external risk areas.

HIPAA security risk assessments are critical to maintaining a foundational security and compliance strategy. Performing regular, consistent assessments requires a top-down approach and commitment shared by every member of the senior leadership team, so that it becomes part of the culture of the organization.

What is the difference between an internal and external HIPAA security risk assessment?
Internal HIPAA security risk assessments refer to those performed within the CE itself. This could include a variety of locations of care such as an acute care facility, and affiliated alternate care sites (e.g., surgery centers, skilled nursing facilities, owned physician practices).

External HIPAA security assessments are those performed with any third-party vendor or business associate. Security risk assessments for BAs must be comprehensive, but should be tailored based on each business associate’s level of interaction with PHI.

Regardless of whether the HIPAA security assessment is performed internally or externally, it should include evaluation of:

• Administrative, physical and technical safeguards
• Facility and workstation security
• Encryption protocols for email, devices, data storage, wireless connections and more
• Hardware and software that stores PHI
• Change management policies and procedures
• Monitoring downstream BAs
• Appropriate destruction and disposition of data
• Liability insurance
• ePHI vulnerability, which evaluates various areas where PHI resides
• Threat actions, which evaluates risk associated with power outages, weather-related threats, personnel-related threats and the like

What types of healthcare facilities should perform HIPAA security risk assessments? How often?
All CEs (including healthcare providers, payers and clearinghouses) and third-party vendors or BAs that have access to PHI are required to perform periodic HIPAA security risk assessments, no matter the size, structure or complexity of the organization. While small hospitals and single providers may not be as complex as large health systems, they are still considered CEs, and thus are just as responsible for protecting PHI.

Best practice is to conduct annual HIPAA security risk assessments. However, a CE may want to perform additional assessments under these types of circumstances:

• When results of previous HIPAA security risk assessments uncovered high-risk security gaps and issues.
• If there have been substantial changes to the organization’s structure or operations, such as mergers or acquisitions, the addition of new or upgraded networks, or the building of a new facility.
• When there are changes to federal regulations or cybersecurity frameworks.

What are common challenges to conducting HIPAA security assessments on a consistent basis?
Although regular, periodic HIPAA security risk assessments are required, many organizations run into challenges in keeping pace with the volume and frequency. Below are typical challenges that CEs should prepare for:

• High volume and limited resources
  Providers often have insufficient resources to manage security risk in-house. Performing security risk assessments internally and externally each year (or more often, if warranted) is time-consuming and multifaceted, and requires the appropriate resources if it is to be done right.
• Insufficient manual tools
  Traditional tools like Excel that necessitate manual data input cannot handle the volume, analysis, document storage and project management required to appropriately perform a HIPAA security risk assessment.
• Lack of in-house knowledge
  Depending on the CE, in-house expertise to conduct HIPAA security risk assessments may not be available. Even if such expertise is available, security risk assessments often fall to the bottom of the list of competing priorities.
• Assessment surveys that are too general and over-complicated
  Some security risk assessment surveys include many questions that don’t add value, or don’t apply to either internal or external operations. Long, general surveys are written to address any possible scenario, but most of the assessment questions may not apply, and therefore are unnecessary.
• Competing political agendas and priorities
  Many CISOs report to the CIO, but this can potentially cause a conflict of interest, similar to a financial auditor reporting to the CFO. Security risk management should be separate from IT to minimize conflicts of interest.

What are the best steps to maintain HIPAA security risk assessments over the long term?
Any CE will have to overcome challenges specific to its organization while trying to maintain a consistent program for conducting HIPAA security risk assessments. Below are a few tips to help support the process.

• Establish an IT governance structure that mandates transparency and accountability.
  Such a structure will help enforce organizational accountability, eliminating any possibility of ignoring security risk assessments, both internal and external. The principles of transparency and accountability should be rewarded to maintain the integrity of the governance structure. An IT governance structure should also require that the CE conduct a new HIPAA security risk assessment at the time of any regulatory or operational changes.
• Empower the Chief Information Security Officer (CISO) and other designated resources.
  The CISO should be an unbiased resource that provides the appropriate checks and balances within the CE. This applies to any potential conflict of interest or political pressure to whitewash the results of HIPAA security risk assessments.
• Create and follow through on a risk mitigation action plan once the assessment is complete.
  Prioritize high-risk areas and work your way down to the low-risk areas. The action plan should include a defined owner and timing for completion. This activity will not only mitigate any vulnerabilities, but will set the organization up for the next HIPAA security risk assessment.
• Establish a vendor risk management strategy.
  Since HIPAA security risk assessments are also performed with third-party vendors and BAs, the CE should create and enforce a meticulous strategy for vendor risk management. Make sure BAs are performing their own due diligence and that the CE has binding contracts in place with each BA.

This article was originally published on ComplyAssistant and is republished here with permission.