The HIPAA Risk Assessment: A Journey, Not A Destination

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2015/03/19/the-hipaa-risk-assessment-a-journey-not-a-destination/

A HIPAA risk assessment can be an important tool in helping covered
entities determine how they can best improve their overall privacy and
security measures. With two large scale healthcare data breaches being
announced already in 2015, it is increasingly important for covered
entities to ensure that they know where ePHI is actually being stored and
used, and take appropriate measures to keep it secure.

The HIPAA risk assessment process is more of a journey, rather than a
destination, according to Chris Bowen, MBA, CIPP/US, CIPP/IT, ClearDATA
Founder and Chief Privacy Officer. In an interview with
HealthITSecurity.com, Bowen said that it is essential for covered entities
to actually take the risk assessment results and work toward fixing any
weak points that were discovered. It is important to go beyond just
checking off the box to receive Meaningful Use dollars, for example, he
said.

“We’ve discovered that healthcare IT is just underprepared for what they
need to do,” Bowen said. “They need to not only shore up their systems from
a functional perspective and interoperability perspective, but now you
layer on security and other types of controls to that, and they’re just
overwhelmed.”

In general, there are three main scenarios for why a HIPAA risk assessment
is taking place, according to Bowen. First, there is the proactive
approach. This is where third-party organizations will come into the
picture, review the assessment and see what gaps exist and how they can be
fixed. For example, if cloud architecture or storage is being used at all,
it’s essential that it is secure.

Another common reason for a HIPAA risk assessment is that a covered entity
is looking for Meaningful Use dollars, Bowen said.

Finally, there is the “never fun scenario.” This is where the Office for
Civil Rights (OCR) has already knocked on a CE’s door and their legal team
asks for help in solving privacy and security challenges.

Best practices for HIPAA risk assessments

One of the key things for facilities to keep in mind, according to Bowen,
is to make sure it actually knows where all ePHI is being stored.

“Inevitably, every entity we do a risk assessment for, they say ‘Yeah we
know where our PHI is, here’s the list.’ As we probe, do walkthroughs, ask
other people other questions, we find a ton of PHI nobody even realized was
sitting there,” Bowen said.

Jeff Krull, CPA, CISA, Partner at Baker Tilly Virchow Krause, LLP, agreed,
saying that facilities often focus on their main ePHI application. However,
upon further investigation, there are always other areas that use PHI.

For example, during discussions CEs might reveal that employees will
sometimes email PHI. From there it is discovered that there is a BYODpolicy
in place and that the email system can be accessed through a smart phone.
That reveals a “whole other layer of the onion” that needs to be dealt with
for a risk assessment, he said. With a mindset of just running through a
checklist and being done, Krull explained that a lot of aspects could be
inadvertently overlooked.

“Our experience is rarely does that get you to a level of having that
thorough comprehensive risk assessment,” Krull said. “It’s really the
conversations in having those facilitated discussions that get you there.”

Oftentimes, individuals try to rationalize or justify what they have in the
HIPAA risk assessment, and also justify their past decisions, Krull
explained. Instead, this is a tool that finds the risks and a facilitythen
ranks them and develops a timeline to close down those risks.

For example, Krull said that if a CE asks if it’s okay that it does not
encrypt its data, it’s a loaded question.

“I would describe it as if your servers are in Fort Knox and not encrypted,
or are in a very secure facility and not encrypted, you can probably build
some controls around that,” Krull said. “If your servers are sitting
unencrypted under somebody’s desk in their office, that’s a totally
different fact pattern.”

Essentially, the HIPAA risk assessment is meant to discover all of the
factors in place and help management understand where the threats and
vulnerabilities exist. If there are any gaps, the CE needs to determine how
it will deal with them.

“That’s why you do it,” he explained. “You do it to uncover the findings
and the risks and go deal with them.”

Going beyond the checklists

Both Bowen and Krull emphasized the importance of running comprehensive
risk assessments and then taking the time to go through the results to make
necessary changes.

According to Bowen, an important starting point is to ensure that the right
people are involved in the process from the beginning. Working with
third-parties, such as legal assistance, can be beneficial.

“Pick your partners. It’s a circle of trust,” Bowen said. “Figure out who’s
in it and use them. Don’t believe that you have to do everything by
yourself.”

Healthcare organizations need to realize that there are partners in the
marketplace that can help address the challenges that come with the HIPAA
risk assessment, he explained.

Krull added that one of the biggest stumbles that CEs could make is not
getting the right people focused on legitimately thinking through the
risks. It can be a difficult thing, but Krull said that his biggest
takeaway from conducting risk assessments is that a “good risk assessment
isn’t running a checklist.” Facilities must take the next steps and process
what they found and work toward eliminating those issues.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!