HIPAA Compliance for Medical Practices
61.6K views | +4 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Top Tips on Conducting a HIPAA Risk Assessment

Top Tips on Conducting a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

A HIPAA risk assessment is essential for all covered entities (CEs). Ideally, organizations conduct such an analysis before the Office for Civil Rights (OCR) comes knocking on their door. That way, CEs learn about potential weak spots in their security systems and can make the necessary adjustments to strengthen them.


HealthITSecurity.com discussed this process with several healthcare IT experts and industry leaders to determine best practices for conducting a HIPAA risk assessment. Moreover, we wanted to see what some common oversights could be, and how CEs can ensure that they do not make those mistakes.


Carlyn Choate, MSHI, RHIA, CHPS, Privacy and Policy Coordinator at the Multnomah County Department of Human Services said that it’s important for healthcare facilities to reach out to the right people within the organization itself. From there, facilities can ensure that the necessary questions are being answered and that frontline staff, as well as managers, are being included in the process.


A major component of conducting a HIPAA risk assessment is to get a full working picture of the security process. Managers on their own are not always part of that business process and how information is collected and then moved through the organization, Choate said.

It can also be beneficial to compare risk assessments from one year to the next, according to Choate.


“It’s good to know where the organization stands as far as its level of risk and its vulnerability, and what it has accomplished from year to the next,” she said. “You can also see if those changes still meet the needs of the organization or what types of changes may in the future impact the organization.”


According to Michael Archuleta, HIPAA Security Officer and Director of IT at Mt. San Rafael Hospital, it is also best practice to work with the right organization on the risk assessment. There are various entities that can assist in the process, and it is important for CEs to find a partner that will best meet their privacy and security needs.

“Basically do an overall background of your organization to determine where you stand with HIPAA, find any type of risks, and determine the individual work flows,” Archuleta said. “An assessment methodology is good as well.”


The key thing for any organization is to ensure it knows all aspects of is its PHI, according to Archuleta. A facility must ensure that it gets an accurate assessment of where its PHI is located and is being used.

Moreover, it is also important to have policy procedure reviews. If a healthcare organization wants an individual or a group of employees to follow specific HIPAA guidelines, it needs to have a policy procedure in place, Archuleta said.


“It’s also important when you have these HIPAA risk analyses, you really need to start focusing on training,” according to Archuleta. This will ensure that the end user understands HIPAA and how potential risks apply to the facility.”


Archuleta also suggested that CEs conduct a penetration test, which will help determine where current system gaps are and what specific ports are open. If organizations do not conduct a penetration test, it could lead to security issues, he said.


Avoiding common mistakes


Choosing to skip a penetration test can be a major mistake for healthcare organizations, according to Archuleta. This can be essential in determining the location of all of a facility’s PHI.

“I’ve seen a lot of facilities exclude that because thinking they don’t need it,” Archuleta said. “They think it’s just a waste of revenue to get that included in the risk analysis, but in my opinion, it is key to determine where you stand with your overall secure infrastructure to keep PHI safe.”


In terms of penetration tests though, Choate added that it is not wise to assume that a penetration test by itself is enough. Doing a penetration test or installing encryption on mobile devices are simply part of the risk assessment process, Choate said.

“There are so many other components and so many other levels to a risk assessment,” Choate said.

A penetration test only looks at the network, she explained, whereas a risk assessment looks at how information is collected, how it’s used throughout the organization, who has access to it, and whether they should or shouldn’t have that right level of access. Essentially, a penetration test determines how vulnerable a facility could be to hackers, Choate said.

Phil Curran, Chief Information Assurance and Privacy Officer at Cooper University Healthcare said that healthcare organizations not understanding the process of the risk assessment can be a setback. If a CE doesn’t understand the process, then they will not perform it properly, he said. Agencies such as the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator (ONC) have comprehensive guidelines and assisting tools that organizations should take advantage of.

Moreover, sometimes a CE will not do any type of follow up after the initial risk assessment to ensure that necessary security changes were made.


“They do the risk assessment and they say, ‘This is a risk.  This is what we’re going to do about the risk.’ And then they don’t do any follow up to verify that they’re actually doing what they said that they were going to do. And that is a concern,” Curran said.

Comparing risk assessments from one year to the next is also essential, he said. Processes and technology are always changing, which is why reviewing previous assessments, as well as any audits, are part of a proper risk assessment, according to Curran. This helps CEs see and understand any organizational changes, as well as identify potential gaps from a control perspective. Additionally, this approach can also highlight any improvements that occurred from one year to the next.


Looking ahead for comprehensive security


All three healthcare IT experts agreed that evolving technology can definitely have an effect on HIPAA risk assessments.

According to Curran, more devices in a facility’s network makes it more difficult in that there are now more things to review.

“Part of the risk assessment is asking where does the data reside or where is the data going to?” Curran said. “So now you have to take into account more types of devices that we are sending data to.”

Moreover, Curran explained that whenever new technology is implemented that stores or transmits data and allows access to electronic PHI,  a risk assessment on that technology is supposed to be performed. This is done instead of waiting until the end of the year to do the overall risk assessment. However, the multitude of new devices makes the number of potential end points more comprehensive, he said.


Overall, CEs must ensure that risk assessments are not only comprehensive, but that they are tailored to an organization’s workflow. For example, if a facility still uses paper health records, it must understand how that paper flows, according to Choate. Otherwise, the CE opens itself up to potential risk. But a good system administrator, privacy officer, or security officer will be able to mold the risk assessment questions and ensure that it is tailored to the facility’s work flow.


more...
No comment yet.
Scoop.it!

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Last year, several high profile security incidents occurred at healthcare organizations where a HIPAA Risk Assessment (HSRA) had previously been conducted. This should provoke some pointed questions: Was the HSRA comprehensive enough? Was the remediation plan implemented correctly and in a timely manner? Was an ongoing process of risk management adopted? In this webinar, attendees will learn why HSRA's are a necessary but not sufficient part of maintaining the security of protected health information (PHI).

  • What qualifies as a comprehensive HIPAA risk analysis?;
  • Learn why HIPAA Risk Assessments are necessary but not sufficient;
  • What are the elements of an ongoing security risk management program?
  • What else can be done to lower the risk of hacking incidents?.
Background

HIPAA Risk Assessments are a valuable component of a healthcare organization's information security program. They fulfill a mandatory requirement of the HIPAA Security Rule, Omnibus Rule, and where applicable, the EHR Meaningful Use Incentive Program. Compliance, however, is not synonymous with security.

The purpose of an HSRA is to identify threats and vulnerabilities. But without a comprehensive remediation and ongoing risk management plan, the HSRA itself is of little value. Further, many HSRA's are too limited in scope, focusing only on policies or "low-hanging" fruit while ignoring more critical and complex risks.

From 2010-2013, the vast majority of breaches of PHI resulted from lost or stolen portable devices. In 2014, the landscape changed. Hackers went on the attack, attracted by high value of data stores of PHI. Millions of health records were stolen. Hackers typically exploit vulnerabilities in the network infrastructure or in web applications. In addition, individual credentials are often compromised through "phishing" email attacks. Were these risks identified in your HSRA?


more...
No comment yet.