How Do You Perform An Appropriate Security Risk Analysis?

EHR Training Strategies by Ron Sterling

By Ron Sterling
Sterling Solutions

The Meaningful Use Measures include a Security Risk Analysis.  The Security Risk Analysis evaluates your practice’s compliance with the HIPAA Security Standards.  Failure to complete the Security Risk Analysis can prevent you from collecting the EHR incentive and/or risk the EHR Incentive you do receive in the event of an audit.
..
In a disturbing number of situations, practices are not properly completing the Security Risk Analysis. For example, a number of practices are using boilerplate risk analyses that do not account for size, structure or even the technology base being used by the practice.  Such an approach could ignore key areas of vulnerability and risk such as EHR customization or interfaces with diagnostic equipment.  Indeed, some practices are instructed to just fill out the form to “get your money.”  However, an incomplete security risk analysis presents two substantial problems:
..
Meaningful Use Disqualification – The EHR incentive program  requires satisfying all of the MU Measures.  Reporting completion of the MU requirements with a failed or even missing Security Risk Analysis places your entire payment at risk.
.. 
HIPAA Security Penalties – If the Security Risk Analysis is not properly completed or the practice fails to  address issues that would have been uncovered during a more appropriate analysis, your practice may be subject to HIPAA Security penalties.  Indeed, such penalties can amount to more money per provider than you will ever receive for the EHR incentive program.
..
In order to fulfill the Meaningful Use and perform a valid Security Risk Analysis, consider the following issues:
.. 
Compile a Security Risk Assessment – A proper Security Risk Assessment includes from 100 to 300 or more evaluation criteria depending on your situation.  There are a variety of sources to get a template to frame your analysis.  However, these tools are general and require editing to meet your situation.  For example,
..
Use of a cloud based EHR service (also known as Software as a Service, and Application Service Provider) relies on the vendor to meet a number of security risks.
..
A larger practice needs a formal review, reporting, and supervisory structure to meet security risks and may need an office level assessment for each office.
..
The security assessment tool includes questions covering  the Administrative, Physical and Technical controls for your Protected Health Information.  You are better off starting with a more comprehensive analysis tool and edit it for your practice rather than trying to take an overly simplistic tool and improve it to review your real risks.
.. 
Perform the Security Assessment – The purpose of the assessment is to identify risks and threats.  In some cases, the problems uncovered in the Security Risk Assessment may be addressed through changes to procedures, a discussion with your vendor or additional hardware.  In any event, it is not in the interest of your practice or patients to dumb down the assessment or your process.  Indeed, it is not the publisher of the checklist or the technogeek you hire to help you that will have to live with the implications and problems that result from a process that ignores or bypasses problematic answers or areas.
..
In fact, it is literally pennies on the dollar to do a correct and thorough assessment that identifies problems and allows you to come up with solutions before you lose Protected Health Information, or have an impermissible disclosure.  For example, a practice performed a security risk analysis that bypassed some “problematic” issues associated with dated hardware and old software.  The practice lost a significant amount of patient information due to a hardware failure and a backup process that was inadequate and flawed.  To avoid similar problems, the analysis process should be vigorous and not seek to “do the absolute minimum.”  If you don’t come up with a problem that you need to address from you analysis, chances are you have not done an adequate analysis.
.. 
Implement Changes to Correct Security Deficiencies – The most thorough analysis is pretty useless if you are not prepared to address the problems that you uncover.  The key issue is to identify the vulnerabilities and threats to your electronically stored PHI and initiate actions to avoid problems.  You may be able to solve a problem with some changes to your process, or require the next version of your EHR software.  Either way, you should maintain an inventory of the items you need to fix and track the status of your efforts.  Indeed, you should report on the status of your remediation efforts to practice/HCO management on a periodic basis.
..
Performing a Security Risk Analysis is a critical component of your compliance with HIPAA Security Rules and meeting Meaningful Use.  However, a flawed process can provide a false sense of security and an even more troublesome risk profile that could seriously affect your ability to serve patients and meet the evolving care standards in the healthcare industry.  A thorough and effective Security Risk Analysis insures that you address threats and vulnerabilities before a crisis emerges.
..
This article was originally published on Avoid EHR Disasters and is used here with permission. Ron Sterling is a nationally recognized expert on EHR implementation, Meaningful Use, and HIPAA Security. He is also host of The EHR Zone, an Internet radio program airing daily at 4 pm Eastern. He can be contacted at rbsterling@sterling-solutions.com.