For healthcare companies, a Health Insurance Portability and Accountability Act or HIPAA security risk analysis is a critical part of compliance and security. The HIPAA Security Rule requires that any covered entities and their business partners perform these relating to the use of electronic protected health information (ePHI).
Failure to conduct a thorough one that’s “insufficient” could cost you big in terms of fines and reputation harm. As a result, you have an obligation to ensure that the firm conducting this risk analysis does so in a detailed, compliant, and complete way to uncover weaknesses to prevent a data breach.
If you’re covered by HIPAA, you’ll want to explore how to avoid the insufficient label.
What Is a HIPAA Security Risk Analysis?
As noted, this analysis is part of complying with the HIPAA Security Rule. You must abide by this law if you create, access, or use ePHI. You’ll need to go through a HIPAA security risk analysis annually. This exercise is also part of the Breach Notification Rule. You must perform one if there has been an impermissible use or disclosure if the event requires you to notify Health and Human Services (HHS) and any individuals affected.
Additionally, many organizations choose to carry out an analysis when they implement new software, make changes to network configurations, or any other major IT event occurs.
There is guidance regarding a HIPAA security risk analysis from the Office of Civil Rights (OCR), as they are the agency that enforces HIPAA. Their requirements include:
- Assessing any potential risks and vulnerabilities concerning the confidentiality, integrity, and availability of electronic PHI
- Reviewing compliance with HIPAA standards
- Identifying how you create, receive, maintain, and transmit ePHI
- Determining how your vendors and third parties create, receive, maintain, and transmit ePHI
- Defining any threats to the security of the data, which include human (external and internal), natural disasters, and environmental (cyber and physical)
Once you receive the analysis, you then must act on it in good faith. The OCR guidance states you should:
- Create a personnel screening process.
- Outline what data to back up and how.
- Use encryption for data at rest and in transit.
- Address any data authentication requirements.
These are a typical part of business for healthcare, and guidance and recommendations exist. There’s not much gray area here as there is in other parts of HIPAA. However, that doesn’t mean every HIPAA security risk analysis is the same.
Healthcare Software Company Fined for Insufficient HIPAA Security Risk Analysis
So, how do you know if your analysis is effective and meets HIPAA requirements? Let’s look at a recent fine relating to this issue. A healthcare software firm recently paid a $350,000 civil monetary penalty to the HHS OCR. The fine resulted from their failure to perform a risk analysis.
Their lack of or absence of a sufficient analysis led to a misconfiguration of an FTP server in 2018. It exposed the data of 230,572 patients. Because of the misconfiguration, anyone could access it without credentials. The ePHI breach included patient names, contact details, and some Social Security numbers.
Per HIPAA rules, the company reported the breach. The response from the OCR is to launch an investigation. This evaluation determined that at least one unauthorized person viewed the ePHI. The audit further uncovered that the organization did not analyze risks and vulnerabilities and did not enter into a BAA (business associate agreement) with a subcontractor.
In addition to the fine, the company must develop and implement a risk management plan involving a HIPAA security risk analysis.
It would seem almost unfathomable that a company in the healthcare field would “forget” to do an analysis. However, this case demonstrates that it’s still a problem. So, why else might an analysis be insufficient if you actually conduct one?
When Is a HIPAA Security Risk Analysis Sufficient?
The best way to evaluate if your risk analysis is sufficient in the realm of HIPAA compliance is to discuss what it should include. If the firm conducting your assessment follows these best practices, you can be confident in its sufficiency.
The Scope Should Be Clear and Inclusive
Your analysis begins by defining the scope. It must include all aspects of your technology ecosystem that could impact the confidentiality, integrity, and availability of ePHI. Thus, it’s all formats of electronic media that may include it. The definition of electronic media is broad, so it’s really everything in your organization’s digital footprint.
Electronic media is just one part. You must assess physical media, too, including hard copies of files and documents containing patient information.
Classification of ePHI Must Be Complete
The first step of a HIPAA security risk analysis is data collection. In this phase, you must categorize the location of all ePHI. It can be a massive undertaking, but firms that facilitate these have ways to organize it. They can start by looking at past and current projects, interviewing employees, and reviewing documentation. Documenting the process of classification is necessary as well.
Identification and Documentation of Threats and Vulnerabilities Must Be Thorough
The next step of the audit is to find and detail potential threats and vulnerabilities relating to ePHI that you reasonably anticipate. HHS defines a vulnerability using the NIST label as “a flaw or weakness in system security procedures, design, implementation, or internal controls,” which someone could exploit, resulting in a security breach.
Their classification of a threat is also from NIST. It can be a person or thing that exercises, either accidentally or intentionally, a vulnerability. The threats can be natural, human, or environmental.
These must be thorough and encompass a wide range of areas within your technology infrastructure.
Evaluation of Current Security Measures
The next step of the analysis is assessing your existing security protocols related to ePHI. It should encompass how you safeguard ePHI, the HIPAA Security Rule provisions you have in place, and ensuring that the mechanisms in place are configured and used correctly.
The security measures within your organization will vary, often depending on the size of your company. SMBs usually have fewer variables, while enterprises have many more. Thus, this doesn’t look the same for everyone. What’s important is that the evaluation details a robust security program.
The Likelihood of a Threat Occurrence
Next is determining and assessing the likelihood that a threat occurrence may take place. You’ve already evaluated your current security measures, and now you need to define the chances that such an event could happen. All of this falls under the presumption that these are threats you could “reasonably anticipate.”
Defining the Potential Impact of a Threat Occurrence
Now that you have assessed the likelihood of threats, you have to define what the effect would be should a cyber incident occur. Typically, this is in list form and includes giving each threat a rating on a scale. The HIPAA Security Rule requires consideration of the “criticality” of any possible risk. You can do this with a quantitative or qualitative method or a combination of both.
Providing a Conclusion for the Level of Risk
The final step in a HIPAA security risk analysis is to determine your level of risk from the threat likelihoods and impacts. A risk would be at the greatest stage if it is likely to happen, and the effect would be significant. If those things are low, then the risk level would be, too.
More Notes on the Sufficiency of Your Analysis
The HIPAA Security Rule does not mandate a specific format for the documentation. Your assessor usually has a template they use for this, which is customizable to fit your needs. Also, remember that you must conduct this analysis annually. Each year, you can start from the previous one and update it as necessary. You’ll want to include new technologies and any changes to operations and processes. The OCR has further guidance on tools and methodology. The firm you choose to perform your assessment should use this information in developing your analysis and risk profile.
A Sufficient HIPAA Security Risk Analysis Is Part of a Risk Management
While you do have to execute this analysis for compliance reasons, it’s also an excellent foundation for your risk management program. Their findings can help you ensure yours is robust by offering expertise around:
- New policies to put in place or enrich that support data security and change management
- Digging deeper into vulnerabilities to develop a plan to reduce the risk associated with these, which could involve new technology or ways to monitor networks and applications
- Improving your security training for employees that go beyond what HIPAA requires
- Evaluating legacy applications for decommissioning or migration that could be a source of high risk due to their outdated architecture
- Identifying any configuration issues and how to fix those quickly
The more you can mitigate risk, the better for your organization and the ePHI you possess. If you’d like to learn more about how we conduct these assessments and help healthcare companies, contact us to schedule a discovery session.