Risk Assessments: Essential InsightsLooming HIPAA audits add sense of urgency
Once the audits begin, perhaps as soon as later this year, one of the "key elements" that auditors will review is an organization's risk assessment document, says Susan McAndrew, deputy director for privacy at the HHS Office for Civil Rights.
Security experts stress that such assessments should:
- Start with a detailed analysis of where all protected health information is stored;
- Assess risk for all information systems, not just core clinical systems; and
- Include testing of security controls.
The HITECH Act, which toughens penalties for HIPAA violations, designated the HHS Office for Civil Rights to enforce the HIPAA security rule in addition to its longstanding enforcement of the privacy rule. And those enforcement activities will include the conducting of compliance audits.
To help call attention to the value of risk assessments, which were mandated under HIPAA, federal regulators have posted a draft of guidance on how to conduct the studies.
"We have heard from many in the industry about the need to reinforce the importance of a risk assessment and to help them figure out how to do a really good risk assessment," McAndrew says.
One security expert lauds OCR's efforts to call attention to the need for risk assessments, but longs for the day when federal regulators offer more specific, tangible advice.
The OCR's draft guidance "absolutely is a step in the right direction," says Mac McMillan, CEO at CynergisTek Inc., Austin, Texas. But many healthcare security officers would like the government to explicitly spell out how frequently such assessments should be conducted, he notes. That's because it can be difficult to get funding for frequent assessments if the studies are not mandated, he says.
OCR may create an implicit expectation for the frequency of risk assessments through its audit program if it repeatedly cites hospitals and others for having out-of-date assessments, McMillan says.
The OCR draft guidance notes the HIPAA security rule does not specify how frequently to perform an assessment. "The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g. bi-annual or every three years) depending on circumstances of their environment."
It also notes that risk assessments should be updated "as new technologies and business operations are planned." Reasons for updates, it states, also include a data breach incident or a change in ownership.
The draft guidance does a good job of emphasizing that "risk assessment is ongoing and happening all the time," says security adviser Kate Borten, president of the Marblehead Group.
Work left to do
Last year, a Healthcare Information and Management Systems Society survey of hospitals found that 74 percent had conducted a risk analysis. Of those, 55 percent conduct an analysis at least annually.
But many organizations have never done a truly comprehensive risk assessment that starts with a data flow analysis, pinpointing where all protected health information resides, Borten contends.
Data loss prevention software can be helpful with this data flow detective work, McMillan adds.
"A lot of folks don't appreciate how much data has been replicated in the work process and now lives outside of their primary clinical applications," he says. Too much patient information resides in spreadsheets and documents where it's less secure, especially if it's overlooked, he notes.
A recent Dartmouth College study found that personal health information stored in documents and spreadsheets is finding its way to peer-to-peer networks.
Look at entire environment
Because patient information is stored in so many places, hospitals and others must cast a wide net when conducting a risk assessment.
"A lot of organizations think they can do a risk assessment of just their core clinical systems," McMillan says. "But you have to consider the entire environment when assessing risk."
Many organizations that conduct risk assessments fail to realize that technical testing is a vital component, he adds.
"A checklist will take you through the process," he notes. "But it won't tell you whether you have your security controls turned on, let alone whether they are effective."
The bottom line? Even those organizations that have conducted a risk assessment "should go back and look at what they've done and how they are handling the risk management process and see if there are opportunities to take it to a more rigorous level," Borten says.
Good Samaritan Hospital in Vincennes, Ind., conducted a risk assessment with the help of a consulting firm about three years ago and is preparing to hire another firm to complete a more rigorous assessment in the months to come, says Chuck Christian, CIO.
"I may not see the threats and the risks as well as an outsider," says Christian, noting that the community hospital cannot afford a full-time chief information security officer.
The hospital recently got a "wake-up call" on the need to update and enforce security policies when it discovered some staff members were storing patient information on thumb drives. "Some didn't understand that it was 'removable media' and thus against our policy to use for patient information," he acknowledges.
The hospital likely will conduct a risk assessment every two to three years, Christian says, because "best practices are changing" and new technologies are continually emerging.
Christian says the OCR's draft document offering risk assessment tips is useful. "Anything we can get that helps us define things and provides a vehicle to help us have a conversation with upper management about why this is important is helpful," he says.
The OCR's draft document points to several sources where organizations can get free advice, including:
- Documents from the National Institute of Standards and Technology. For example: NIST the recently posted a draft document, 800-53-A, that offers guidance on assessing security controls.
- The Office of the National Coordinator for Health Information Technology has produced a risk assessment guide for smaller physician group practices.
- HIMSS has created an information technology security practices questionnaire.
- The Health Information Trust Alliance has created a Common Security Framework that includes advice on risk assessments.