The HIPAA Security Rules require healthcare providers to routinely conduct risk assessments on the safeguards they have in place for their patients’ protected health information (PHI)—and for good reason. Data breaches can be crippling for a healthcare provider, not to mention damaging to patients.

However, just because risk assessments have become a regular part of the job for healthcare IT professionals, that doesn’t mean they’re easy.

3 Challenges Hospitals Face With Protected Health Information (PHI) Risk Assessments 

Here are three common challenges we see in our work with healthcare institutions across the country:

  • IT Departments aren’t equipped or positioned to be successful.  In many cases, risk assessments are difficult to manage internally, because the staff responsible for conducting the assessment are often busy with other tasks. Additionally, the same people who are responsible for conducting the risk assessment are also the ones managing the day-to-day activities required for compliance. It can be difficult to get a holistic and objective understanding of the hospital’s actual level of risk, because of their proximity to the day-to-day activities.
  • Spreadsheet-based checklists aren’t customized for your specific needs. Checklists are designed for guiding healthcare providers in small- to medium-sized offices rather than larger organizations. Beyond that, checklists are not true risk assessments and don’t meet the requirements specified by the Office of Civil Rights (OCR). While most risk assessments have steps in common, there is no single method that guarantees compliance for every institution. Therefore, knowing exactly what your hospital needs to do to ensure compliance can’t be done by simply downloading a checklist.
  • Checklists aren’t actionable. Another problem with using manual checklists or excel spreadsheets to manage the risk assessment process is that they don’t make resolving the issues you identify any easier. While helpful for identifying the potential risks and threats, manual checklist tools do not supply actionable risk implementation and remediation steps. You’re still stuck with all the heavy lifting when it comes to managing the process of meeting regulatory requirements.

Introducing A Better Way to Conduct PHI Risk Assessments 

At LBMC Information Security, we’ve walked alongside hundreds of healthcare providers to conduct risk assessments and ensure compliance. And, we’ve seen how taxing the process can be for the IT professionals responsible for managing the action plan. That’s why we created BALLAST.

With BALLAST, healthcare providers can eliminate the guesswork and heavy lifting of managing the risk assessment process for their protected health information. Whether you’re a small community hospital, a multi-affiliate healthcare network, or a nationally-recognized research hospital, the tool is customized for your specific requirements. It also makes it easy to manage the remediation process with real-time dashboards and one-click reports for your auditors and regulators.

Click here to take a free product tour and learn more about how BALLAST can help you manage the PHI risk assessment process.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.