Healthcare organizations must deal with a number of regulatory requirements for ensuring patient data security, and compliance begins with a thoughtful, detailed risk assessment analysis, according to a talk at the recent Healthcare Information and Management Systems Society (HIMSS) meeting in Orlando, FL.
Risk analysis and risk management are the tools that healthcare organizations need to utilize to develop and maintain a strategy for protecting the confidentiality, integrity, and availability of electronic protected health information (PHI), said Joy Pritts, chief privacy officer of the U.S. Office of the National Coordinator for Health Information Technology (ONC).
"If you don't do a security risk analysis, it's really doubtful that you're going to be able to comply with the other elements of the [HIPAA] Security Rule, because this is really the core requirement: that you know what's in your systems and how you're going to protect them," Pritts said.
Pritts and Johnathan Coleman, principal of consulting firm Security Risk Solutions, discussed risk assessment strategies during the HIMSS 2014 session.
Security risk assessments are mandated as part of HIPAA as well as the U.S. government's meaningful use healthcare IT incentive program. The HIPAA Security Rule includes requirements for a security management process, risk analysis, and risk management, but it doesn't prescribe a specific risk analysis or risk management methodology, Pritts noted.
In meaningful use, a stage 1 core objective calls for the protection of electronic health information created or maintained by certified electronic health record (EHR) technology through the implementation of appropriate technical capabilities. The required compliance measure for this objective mandates that users conduct or review a strategy risk analysis in accordance with the HIPAA Security Rule requirements, and implement security updates as necessary.
Risk analysis steps
For organizations with limited financial resources, Coleman suggested a sample risk analysis that includes eight steps:
- Identify the scope of the analysis
- Gather data
- Identify and document potential threats
- Assess current security measures for vulnerabilities
- Determine the likelihood of threat occurrence
- Determine the potential impact of threat occurrence
- Determine the level of risk
- Identify security measures and finalize documentation
The first step involves assessing the potential risks and vulnerabilities regarding confidentiality, availability, and integrity, according to Coleman. This would encompass all electronic PHI created, received, maintained, or transmitted by an organization.
Coleman suggested creating a scope statement that defines the boundary of the analysis. It's also critical that remote users and mobile devices such as tablets and laptops be accounted for in this process, Pritts said.
In the data gathering phase, institutions should identify where the electronic PHI is stored, received, maintained, or transmitted. Information from past or existing projects and interviews within the organization can come in handy. Network diagrams can also help.
Coleman also noted that "many covered entities inventoried and performed an analysis of the use and disclosure of all PHI as part of HIPAA Privacy Rule compliance, even though it was not a direct requirement."
The third risk analysis step -- identify and document potential threats -- should be limited to reasonably anticipated threats to electronic PHI, he said.
"I don't think anybody is expected to be able to identify the complete set of things that could possibly happen," he said. "So asteroids landing on your building is probably not one of the plausible threats that you want to describe."
A list of plausible security threats should be compiled, including threats involving people with network access, threats involving people with physical access, environmental threats, and system threats (not involving people).
An example of a threat scenario is if a hacker were to access patient data after penetrating the network and copy the patient information to a hacker website, Coleman said.
Assessing current security measures
Organizations must assess current security measures in place, including administrative (organizational policies), technical (e.g., encryption, automatic log-off, and audit controls), and physical (e.g., physical access and theft prevention) measures, he said.
The next step is to determine the likelihood of occurrence, which is the probability that a specific threat will trigger or exploit a specific vulnerability, Coleman said. Threats and vulnerabilities should be rated by likelihood, and results for each threat or vulnerability type should be documented.
"It's possible to get bogged down in complex ... calculations, but I would urge you not to get too caught up in that," he said. "Come up with a way that you can easily and readily determine whether a threat is likely to occur."
Step 6 -- determining potential impact -- should involve documenting potential effects of the threats to the confidentiality, availability, and integrity of electronic PHI. These types of effects cover areas including life/health/safety, financial, legal, reputation/customer confidence, and productivity, Coleman said.
Results from steps 5 and 6 should then be used in step 7 to document risk levels for each threat or vulnerability type, he said. A risk matrix or other criteria could be used as a guide.
In the final step, organizations should identify security measures and finalize documentation. Risks should be prioritized according to their overall risk ranking, and actions should then be identified to mitigate those risks, according to Coleman.
"Consider factors such as the effectiveness [of the security measure], any regulatory requirements that may be there, and organizational culture and policies and procedures," he said. "And once again, document, document, document. If you've got all of this stuff in a binder, not only will you be able to handle your regulatory due diligence, but in a year or so when you redo your risk assessment, it will make that repeat assessment that much easier to do."
Furthermore, implementation and monitoring should be included as part of ongoing risk management activities, he said.
Next steps
Once the risk assessment has been completed, organizations must make sure that an updated risk analysis is in place in the future, and that it reflects any new information included in further guidance from the U.S. Department of Health and Human Services (HHS). A thorough HIPAA compliance gap analysis should also be included within the risk assessment to determine what policies and procedures must be revisited in light of last year's HIPAA Omnibus rule, which included a number of changes.
"It's always important whenever a big [regulation] comes out to make sure that you're in compliance with that new [regulation]," Pritts said.
It's also appropriate to update the risk analysis, for example, if an office purchases new equipment or expands its business, she said.
"Risk analysis and risk management are ongoing processes; it's not a do it once and you're done," Pritts said. "Security is something that you just have to stay on top of."