Key Reminders For Your HIPAA Security Risk Assessment

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2015/03/03/key-reminders-for-your-hipaa-security-risk-assessment/

The HIPAA security risk assessment is an important way for healthcare
organizations to evaluate the potential risks and vulnerabilities within
their facility and how they are adhering to HIPAA. All covered entities and
their business associates must conduct a thorough and accurate risk
assessment to ensure that the electronic protected health information
(ePHI) is secure and being accessed appropriately.

The Department of Health & Human Services (HHS) has its own tool to assist
facilities in their HIPAA security risk assessment approaches, but there
are key reminders to keep in mind as well.

Understanding the HIPAA Security Rule

Before we discuss the intricacies of a HIPAA security risk assessment, it
is essential that a healthcare organization understand the key points of
the Security Rule itself. That way, a covered entity knows what it is
protecting, why it is important, and what consequences could follow should
it not adhere to the Rule.

“The Security Rule operationalizes the protections contained in the Privacy
Rule by addressing the technical and non-technical safeguards that
organizations called ‘covered entities’ must put in place to secure
individuals’ e-PHI,” according to HHS’ website.

The Security Rule is designed to be flexible, meaning that covered entity
has the ability to create and implement certain policies, procedures, and
technologies that work for its own operations and are appropriate in
protecting the ePHI at that facility. Specifically, a healthcare
organization must ensure the following when working to adhere to the HIPAA
Security Rule:

- Ensure the confidentiality, integrity, and availability of all ePHI they
create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats;
- Protect against reasonably anticipated, impermissible uses or disclosures;
- Ensure workforce compliance

An important thing to keep in mind about the Security Rule is that covered
entities are able to createsecurity measures that apply to their unique set
up. For example, for an addressable implementation specification, such as
data encryption, an organization must determine if the it is reasonable and
appropriate in its environment. If not, then a covered entity must document
why and then provide a comparable security measure.

Analyzing risk for your organization

After understanding the Security Rule, a covered entity can more accurately
create its own HIPAA security risk assessment. As previously mentioned,
this is a federal requirement for all covered entities.

A good starting point is for an organization to first take note of its
inventory in all systems and applications that access and house data. From
there, those systems and applications should be classified by their
subsequent risk level. An organization must determine where all ePHI is
located and stored, and under which systems it is used.

“A thorough and accurate risk analysis would consider all relevant losses
that would be expected if the security measures were not in place,
including loss or damage of data, corrupted data systems, and anticipated
ramifications of such losses or damage,” according to HHS.

Once all ePHI has been located – including any vendors or business
associates that access that data – a covered entity will be better able to
“prevent, detect, contain, and correct security violations.”

Analyzing the potential risk is an essential aspect of a security risk
assessment. Healthcare facilities should also review the types of
protections currently in place. For example, is there current data
encryption methods? Are there firewalls or anti-malware protection in
place? If not, are there areas that could benefit from such protections?

However, it is important to remember that conducting a risk assessment is
not to be confused with proper risk management. The latter is the “actual
implementation of security measures to sufficiently reduce an
organization’s risk of losing or compromising its e-PHI and to meet the
general security standards.”

Update your risk analysis

Technology changes, which means, a covered entities potential risks could
also change. For instance, if a facility experiences a security incident
after its initial risk analysis or if new technology is simply introduced,
the organization will likely benefit from a new security approach.

“Risk analysis should be an ongoing process, in which a covered entity
regularly reviews its records to track access to e-PHI and detect security
incidents, periodically evaluates the effectiveness of security measures
put in place, and regularly reevaluates potential risks to e-PHI,” HHS
explains on its website.

It is also a requirement of a facility’s administrative safeguards to
performing a periodic assessment of the success of its security measures.
Going back to the data encryption example, perhaps a facility did not see
the need for this security measure initially because it did not incorporate
mobile devices. However, what if that facility implements a BYOD policy?
Suddenly, employees are potentially transporting sensitive data, and data
encryption could be a logical option at this point.

Adhering to HIPAA security risk assessment requirements will not guarantee
that a data breach or other security issue will never occur. When
organizations take the time to develop and implement security measures that
apply to their daily operations, along with meeting federal requirements,
the odds of a security breach will be lessened.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!