For organizations charged with securing sensitive patient and healthcare information, it is essential to be prepared for threats against systems housing electronic protected health information (ePHI). As healthcare providers are increasingly targeted by cybersecurity attacks, new tools have been created and used to conduct risk analysis services. However, many HIPAA risk assessment reports do not comply with the Office for Civil Rights (OCR) guidance on risk analysis, and organizations often struggle to maintain proper risk assessments, hinting that many organizations may not fully understand the HIPAA Security Rule and how to conduct an accurate and in-depth analysis of any potential risks and vulnerabilities as defined by the OCR.

BALLAST can help healthcare organizations conduct proper risk analyses that are compliant with OCR guidelines, ultimately avoiding fines and potentially harmful data breaches. Here are four important steps for organizations to implement in the process.

Understand the Scope

It’s crucial that you have a great understanding of the way ePHI flows through your organization. With that knowledge, you should be able to develop a complete and accurate inventory of the systems that receive, store, process, or transmit ePHI. Having this list of critical assets is key to make sure you are considering all of the relevant threats that may put protected data at risk. Have you considered such things as multi-function printer/copiers? Most have hard drives that can, and have, led to data breaches. What about network attached bio-medical devices? Give your asset inventory serious consideration and document that in the scope of your assessment. Collect all the data necessary to frame out the business processes, systems, staff members, and third parties that should participate in your assessment.

Don’t Just Do a Gap Assessment Against the HIPAA Security Rule

Unfortunately, this is where many organizations start because, to the uninitiated, if feels like a logical first step. Instead, the standards require, and risk management professionals agree, that you should first consider potential threats. So what are threats? A simple way to think about threats is that they are human, technical, or environmental events that can mean bad things for the confidentiality, integrity, or availability of your systems and data. If you want a comprehensive list, there are several sources you can use, but the National Institute of Standards and Technology or NIST has a comprehensive list in their publication SP-800-30 (which is also a great resource for risk assessment information in general).   

Evaluate Current Safeguards

From administrative to physical to technical elements, organizations must identify and evaluate the current safeguards in place. The lack of a safeguard (or an effective safeguard) to address the threats in your list of likely threats represent potential vulnerabilities in your security program. Many organizations utilize an established security control framework at this point in the assessment process to determine if they are following security best practices. Whatever framework you use, it should at address all of the requirements in the HIPAA security and breach rules as you will need to be able to demonstrate you have done your best to meet your regulatory obligations.

Document the True Meaning of Your Control Weaknesses

This is about determining the likelihood that one or more of vulnerabilities will lead to some threat (a bad thing that might happen) happening. Once that likelihood is considered…if that bad thing did happen, what is the impact? Would you have to disclose a breach? Would your reputation be damaged? Would you be open to potential fine and penalties? Could patient safety be compromised?

Quantify Your Risk

Once you’ve fully considered your threats, vulnerabilities, existing safeguards, likelihood, and impact, you have the information you need to determine your level of risk related to each threat. Most companies chose a simple three to five stage scale (for example, low – moderate – high). Apply these rankings to your threats and you now have a great list you can use to identify areas of your security program that need attention.  

Pulling it All Together

Obviously, all of this analysis needs to be captured in a report that can be used by your management team to make decisions on how to best improve security to bring risk levels to acceptable levels. While some healthcare organizations have IT professionals who can perform risk assessments, many will not and will need to seek the knowledge and expertise of information security specialists who understand healthcare, healthcare technology, and the HIPAA Security Rule. While HIPAA doesn’t specify who should perform the risk assessment, a tool like BALLAST makes the risk assessment process much simpler, moving the process from manual spreadsheets to an automated intuitive dashboard system that includes automated remediation tracking and one-click reporting. Above all, risk assessments should be repeated at a frequency that makes sense for your organization and must include all required elements to pass an OCR audit.

Don’t Stop with Assessing—Address Risks

When healthcare organizations complete the risk assessment process and evaluate any identified threats, it is essential to create a work plan that includes actions, goals, or steps that will need to be taken in response to the areas of risk. The work plan should show proper documentation of compliance efforts, as well as highlighting the effectiveness of any risk reduction efforts.

Want to learn how BALLAST can help your organization conduct proper OCR-ready risk analysis, while at the same time simplifying the risk assessment process? Our experts are ready to help! Contact us today.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.