A HIPAA risk assessment is essential for all covered entities (CEs). Ideally, organizations conduct such an analysis before the Office for Civil Rights (OCR) comes knocking on their door. That way, CEs learn about potential weak spots in their security systems and can make the necessary adjustments to strengthen them.
HealthITSecurity.com discussed this process with several healthcare IT experts and industry leaders to determine best practices for conducting a HIPAA risk assessment. Moreover, we wanted to see what some common oversights could be, and how CEs can ensure that they do not make those mistakes.
Carlyn Choate, MSHI, RHIA, CHPS, Privacy and Policy Coordinator at the Multnomah County Department of Human Services said that it’s important for healthcare facilities to reach out to the right people within the organization itself. From there, facilities can ensure that the necessary questions are being answered and that frontline staff, as well as managers, are being included in the process.
A major component of conducting a HIPAA risk assessment is to get a full working picture of the security process. Managers on their own are not always part of that business process and how information is collected and then moved through the organization, Choate said.
It can also be beneficial to compare risk assessments from one year to the next, according to Choate.
“It’s good to know where the organization stands as far as its level of risk and its vulnerability, and what it has accomplished from year to the next,” she said. “You can also see if those changes still meet the needs of the organization or what types of changes may in the future impact the organization.”
According to Michael Archuleta, HIPAA Security Officer and Director of IT at Mt. San Rafael Hospital, it is also best practice to work with the right organization on the risk assessment. There are various entities that can assist in the process, and it is important for CEs to find a partner that will best meet their privacy and security needs.
“Basically do an overall background of your organization to determine where you stand with HIPAA, find any type of risks, and determine the individual work flows,” Archuleta said. “An assessment methodology is good as well.”
The key thing for any organization is to ensure it knows all aspects of is its PHI, according to Archuleta. A facility must ensure that it gets an accurate assessment of where its PHI is located and is being used.
Moreover, it is also important to have policy procedure reviews. If a healthcare organization wants an individual or a group of employees to follow specific HIPAA guidelines, it needs to have a policy procedure in place, Archuleta said.
“It’s also important when you have these HIPAA risk analyses, you really need to start focusing on training,” according to Archuleta. This will ensure that the end user understands HIPAA and how potential risks apply to the facility.”
Archuleta also suggested that CEs conduct a penetration test, which will help determine where current system gaps are and what specific ports are open. If organizations do not conduct a penetration test, it could lead to security issues, he said.
Avoiding common mistakes
Choosing to skip a penetration test can be a major mistake for healthcare organizations, according to Archuleta. This can be essential in determining the location of all of a facility’s PHI.
“I’ve seen a lot of facilities exclude that because thinking they don’t need it,” Archuleta said. “They think it’s just a waste of revenue to get that included in the risk analysis, but in my opinion, it is key to determine where you stand with your overall secure infrastructure to keep PHI safe.”
In terms of penetration tests though, Choate added that it is not wise to assume that a penetration test by itself is enough. Doing a penetration test or installing encryption on mobile devices are simply part of the risk assessment process, Choate said.
“There are so many other components and so many other levels to a risk assessment,” Choate said.
A penetration test only looks at the network, she explained, whereas a risk assessment looks at how information is collected, how it’s used throughout the organization, who has access to it, and whether they should or shouldn’t have that right level of access. Essentially, a penetration test determines how vulnerable a facility could be to hackers, Choate said.
Phil Curran, Chief Information Assurance and Privacy Officer at Cooper University Healthcare said that healthcare organizations not understanding the process of the risk assessment can be a setback. If a CE doesn’t understand the process, then they will not perform it properly, he said. Agencies such as the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator (ONC) have comprehensive guidelines and assisting tools that organizations should take advantage of.
Moreover, sometimes a CE will not do any type of follow up after the initial risk assessment to ensure that necessary security changes were made.
“They do the risk assessment and they say, ‘This is a risk. This is what we’re going to do about the risk.’ And then they don’t do any follow up to verify that they’re actually doing what they said that they were going to do. And that is a concern,” Curran said.
Comparing risk assessments from one year to the next is also essential, he said. Processes and technology are always changing, which is why reviewing previous assessments, as well as any audits, are part of a proper risk assessment, according to Curran. This helps CEs see and understand any organizational changes, as well as identify potential gaps from a control perspective. Additionally, this approach can also highlight any improvements that occurred from one year to the next.
Looking ahead for comprehensive security
All three healthcare IT experts agreed that evolving technology can definitely have an effect on HIPAA risk assessments.
According to Curran, more devices in a facility’s network makes it more difficult in that there are now more things to review.
“Part of the risk assessment is asking where does the data reside or where is the data going to?” Curran said. “So now you have to take into account more types of devices that we are sending data to.”
Moreover, Curran explained that whenever new technology is implemented that stores or transmits data and allows access to electronic PHI, a risk assessment on that technology is supposed to be performed. This is done instead of waiting until the end of the year to do the overall risk assessment. However, the multitude of new devices makes the number of potential end points more comprehensive, he said.
Overall, CEs must ensure that risk assessments are not only comprehensive, but that they are tailored to an organization’s workflow. For example, if a facility still uses paper health records, it must understand how that paper flows, according to Choate. Otherwise, the CE opens itself up to potential risk. But a good system administrator, privacy officer, or security officer will be able to mold the risk assessment questions and ensure that it is tailored to the facility’s work flow.