BreachExchange mailing list archives
Key Reminders For Your HIPAA Security Risk Assessment
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 3 Mar 2015 18:57:22 -0700
http://healthitsecurity.com/2015/03/03/key-reminders-for-your-hipaa-security-risk-assessment/ The HIPAA security risk assessment is an important way for healthcare organizations to evaluate the potential risks and vulnerabilities within their facility and how they are adhering to HIPAA. All covered entities and their business associates must conduct a thorough and accurate risk assessment to ensure that the electronic protected health information (ePHI) is secure and being accessed appropriately. The Department of Health & Human Services (HHS) has its own tool to assist facilities in their HIPAA security risk assessment approaches, but there are key reminders to keep in mind as well. Understanding the HIPAA Security Rule Before we discuss the intricacies of a HIPAA security risk assessment, it is essential that a healthcare organization understand the key points of the Security Rule itself. That way, a covered entity knows what it is protecting, why it is important, and what consequences could follow should it not adhere to the Rule. “The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ e-PHI,” according to HHS’ website. The Security Rule is designed to be flexible, meaning that covered entity has the ability to create and implement certain policies, procedures, and technologies that work for its own operations and are appropriate in protecting the ePHI at that facility. Specifically, a healthcare organization must ensure the following when working to adhere to the HIPAA Security Rule: - Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit; - Identify and protect against reasonably anticipated threats; - Protect against reasonably anticipated, impermissible uses or disclosures; - Ensure workforce compliance An important thing to keep in mind about the Security Rule is that covered entities are able to createsecurity measures that apply to their unique set up. For example, for an addressable implementation specification, such as data encryption, an organization must determine if the it is reasonable and appropriate in its environment. If not, then a covered entity must document why and then provide a comparable security measure. Analyzing risk for your organization After understanding the Security Rule, a covered entity can more accurately create its own HIPAA security risk assessment. As previously mentioned, this is a federal requirement for all covered entities. A good starting point is for an organization to first take note of its inventory in all systems and applications that access and house data. From there, those systems and applications should be classified by their subsequent risk level. An organization must determine where all ePHI is located and stored, and under which systems it is used. “A thorough and accurate risk analysis would consider all relevant losses that would be expected if the security measures were not in place, including loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage,” according to HHS. Once all ePHI has been located – including any vendors or business associates that access that data – a covered entity will be better able to “prevent, detect, contain, and correct security violations.” Analyzing the potential risk is an essential aspect of a security risk assessment. Healthcare facilities should also review the types of protections currently in place. For example, is there current data encryption methods? Are there firewalls or anti-malware protection in place? If not, are there areas that could benefit from such protections? However, it is important to remember that conducting a risk assessment is not to be confused with proper risk management. The latter is the “actual implementation of security measures to sufficiently reduce an organization’s risk of losing or compromising its e-PHI and to meet the general security standards.” Update your risk analysis Technology changes, which means, a covered entities potential risks could also change. For instance, if a facility experiences a security incident after its initial risk analysis or if new technology is simply introduced, the organization will likely benefit from a new security approach. “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS explains on its website. It is also a requirement of a facility’s administrative safeguards to performing a periodic assessment of the success of its security measures. Going back to the data encryption example, perhaps a facility did not see the need for this security measure initially because it did not incorporate mobile devices. However, what if that facility implements a BYOD policy? Suddenly, employees are potentially transporting sensitive data, and data encryption could be a logical option at this point. Adhering to HIPAA security risk assessment requirements will not guarantee that a data breach or other security issue will never occur. When organizations take the time to develop and implement security measures that apply to their daily operations, along with meeting federal requirements, the odds of a security breach will be lessened.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Key Reminders For Your HIPAA Security Risk Assessment Audrey McNeil (Mar 10)