Risk assessment should serve as the foundation for any Health Insurance Portability and Accountability Act (HIPAA) security compliance effort, and for that matter, the cornerstone for the overall information security program. Consider these five truths to help grasp the criticality of the security risk assessment to achieving and demonstrating HIPAA compliance:
- It is not optional. All organizations deemed covered entities or business associates under HIPAA are required to perform an accurate, thorough and periodic risk assessment in to demonstrate compliance with the HIPAA Security Rule. No matter the level of security employed, an organization cannot be compliant without a documented risk assessment. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments, and to implement reasonable and appropriate security measures to protect against anticipated threats or hazards to the security or integrity of electronic protected health information (e-PHI). Risk analysis is the first step in that process.
- It is not black and white. Risk analysis is generally a subjective undertaking, and there are a number of available risk frameworks that provide a methodical approach to complete a risk assessment. While the Office of Civil Rights has not outlined a prescriptive risk analysis framework, it has issued guidance that outlines essential elements of an acceptable risk assessment. In a nutshell, an organization must systematically identify and document: all electronic media touching e-PHI; all threats and vulnerabilities which could result in inappropriate access to or disclosure of the organization’s e-PHI; the implementation and effectiveness of security measures; and the determination of threat occurrence likelihood, impact, resulting risk level and risk mitigations.
- It is not easy. The Security Rule is comprehensive and inclusive of all e-PHI created, received, maintained or transmitted within the IT environment. A risk assessment cannot simply consist of a checklist, but must demonstrate the totality of systems inventoried in scope, e-PHI identified, and risk decisions. Also, the scope of the security risk assessment most often exceeds just electronic health records (EHR) application data, as it must cover all e-PHI maintained within other systems (consider legacy, shadow, and end-user systems).
- Documentation is key. All information considered, compiled and reviewed will form the basis for risk assessment and demonstrates the rationale for risk decisions. Documentation of data collection efforts, security controls evaluation, analytical procedures performed, and methodology for risk prioritization evidences a thorough and comprehensive risk assessment. Further, risk assessment documentation is a must if using control rationalization to demonstrate why an organization opts not to implement any HIPAA addressable controls.
- Build it into process. Organizations should continuously explore all areas of technology risk facing the business with an integrated risk analysis approach, including the implementation of new technologies and the ongoing management of central applications holding e-PHI. While an EHR application should have security controls embedded within, actual implementation of the EHR is critical, as is a secure integration into the overall IT infrastructure. It is imperative to consider security essentials, such as encryption and access controls, during design and implementation phases, and in subsequent changes and upgrades. An integrated risk analysis process enables the proactive identification of risks and facilitates timely risk management.
True risk assessment does not simply entail the completion of a compliance checklist that is locked away in a file cabinet until the auditor arrives. Comprehensive risk assessment must fully evaluate the relevant threats, vulnerabilities, risks and related controls over the security of all e-PHI, and all systems handling this sensitive data. Accurate risk assessment represents a worthy challenge to any organization, but done well, it pays dividends in the management of enterprise risk and demonstration of HIPAA compliance.
Gary Miller, CISA, CCSA, CIA, CISSP, CRMA, ITIL
Information Security Manager
Gary will discuss this concept at ISACA’s North America Information Security and Risk Management (North America ISRM)Conference this November, in his presentation titled, “HIPAA Security Risk Assessment.”