Conducting a risk assessment is a core foundational step for HIPAA compliance, and many healthcare IT professionals spend a lot of time working to meet the compliance standards. However, conducting a risk analysis simply for the sake of becoming HIPAA compliant can often create blind spots to new emerging threats that cyber-criminals are using to attack healthcare organizations.

As we’ve discussed before, it can be easy to overlook certain things when protecting patient health information. It’s critically important that a risk assessment is conducted with the latest emerging cybersecurity threats for healthcare in mind. That means identifying and working to reduce risk by proactively making sure all systems and security patches are up to date and that administrative and technical controls are working properly.

Key Details to Consider for Effective HIPAA Risk Assessments

What are the important details healthcare organizations can’t afford to overlook? Here are a few we’ve been pushing our clients to consider:

  1. Locating ALL of your PHI data (including data held by any vendors or business associates). Today’s healthcare organizations must determine where all PHI is located and which systems are involved in receiving, processing, storing, and/or transmitting that data. According to HHS, “a thorough and accurate risk analysis would consider all relevant losses.” Knowing what can go wrong must start with knowing where the data you need to protect is located.
  2. Conducting risk assessments when you change software or hardware. As technology changes, your potential risks could also change. For instance, if new technology is being adopted by your hospital, it should also be considered. This includes taking an inventory of assets that may be related to health data, including medical devices—but also office equipment, such as scanners, printers, fax machines, and copiers.
  3. An in-depth description of the types of protection currently in place. Don’t be deceived—a gap assessment against a control framework is NOT an acceptable risk assessment in the eyes of the OCR. However, control frameworks such as the NIST Cyber Security Framework, or ISO 27001/2 are fantastic guides to make sure you are considering a comprehensive set of controls to address your unique threats. Frameworks also help you articulate your security program to your executive teams, your employees, and importantly—the regulators.

Key Questions to Consider for Effective HIPAA Risk Assessments

  1. Do we have up-to-date workflows that inform us as to where PHI lives in our organization, or are we relying on “institutional knowledge” or gut feeling about what needs protecting and where?
  2. Have we considered (and documented) a list of likely threats to the confidentiality, integrity, and/or availability of PHI in the environment?
  3. Based on our application and adherence to a control framework, have we identified where we are vulnerable? In other words, do we have broken security processes that are not addressing our threats?
  4. Are we informing our decisions on risk (and what to do about it) by considering the likelihood and impact our vulnerabilities might lead to something bad?
  5. Have we documented all of this and shared it with decision-makers in our organization, and are we creating and executing action plans to reduce our risk?

How BALLAST Can Help Simplify the Risk Assessment Process

When it comes to effectively conducting a HIPAA risk assessment in 2018, every small detail matters. This can make the idea of managing the process seem even more overwhelming. But, it doesn’t have to be that way. BALLAST was built with the latest regulatory requirements and control frameworks to help healthcare IT professionals simplify the risk assessment process and manage even the smallest of details.

With BALLAST, you can easily identify and automate the necessary remediation tasks identified through an assessment. You can also upload assessment artifacts as evidence of control effectiveness to show you’re taking the appropriate steps to mitigate potential risks. BALLAST also gives larger healthcare systems the ability to track assessments over multiple facilities.

To learn more about how BALLAST can help make the risk assessment process simpler for your hospital or healthcare organization, click here to get a custom quote.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.