Performing a Security Risk Assessment Offers Value Beyond Compliance

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

As the digital ecosystem continues to thrive and advance, so too must the regulations and practices for safely caring for sensitive data. That is especially true for the healthcare industry, which continues to be a prime target for cybercriminals.

Healthcare practices need to appropriately safeguard electronic protected health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Meeting HIPAA requirements and combating cybercrime are not the only battles healthcare organizations face when it comes to protecting their patients. The industry is incredibly susceptible to insider threats, which can cause large, damaging data breaches for organizations.

So, what can healthcare practices do to ensure they’re protecting electronic protected health information (ePHI) and thus, protecting the patients they care for? Start with a Security Risk Assessment.

What is a Security Risk Assessment (SRA)?
Also referred to as a Risk Assessment, or Risk Analysis, an SRA looks at an organization’s administrative, physical, and technical safeguards that are in place to identify security gaps that would pose a potential risk to patient data.

A thorough Risk Assessment will inventory all ePHI repositories, in other words, it will assess and document anywhere the organization may be accessing or storing ePHI. The SRA should also identify threats to those repositories and the current security measures in place to protect the patient data anywhere it is accessed or stored. The SRA should also account for the likelihood of an event (security incident) to occur, and the impact that a security incident (or threat) would have on your organization. A VERY important piece of a thorough Risk Assessment is ensuring that it contains remediation measures needed to lower your organization’s level of risk.

By performing an SRA and detecting risks in the assessment, organizations have a chance to remediate those risks, hopefully before they result in a data breach.

The Department of Health and Human Services notes that the requirement for healthcare organizations to perform a Risk Assessment is pertinent to ensuring the “confidentiality, integrity, and availability of electronic protected health information.”

More Than HIPAA Compliance
It is no secret that performing a Risk Assessment is an important piece in meeting HIPAA requirements. The Office for Civil Rights (OCR) continues to crack down and hand out fines for not complying with HIPAA. In fact, 2018 alone saw over $25 million in HIPAA fines handed out to providers, a reminder that practices should not take this requirement lightly.

Aside from addressing HIPAA requirements, a Risk Assessment can be used to point out vulnerabilities that don’t fall under compliance, but that may lead to a data breach. As cybercriminals become more sophisticated and continue to find new ways to exploit healthcare practices, the industry is reminded that becoming HIPAA compliant alone is not enough to protect them.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.