- The ONC in collaboration with the HHS Office for Civil Rights has developed a Security Risk Assessment tool. This tool is developed to help healthcare providers carry out security risk assessments as mandated by the HIPAA Security Rule.
- To measure the scope of the HIPAA risk assessment, take into account all the protected health information in every format. Review all documents such as policies, and vulnerability and threat reports.
- A key aspect of the HIPAA risk assessment template is to check the impact of potential threats and vulnerabilities on healthcare organizations and facilities. Threats include cyber attacks, data breaches, fraud, and financial losses.
HIPAA (Health Insurance Portability and Accountability Act) compliance mandates all covered entities and business associates to maintain the security and privacy of ePHI (Protected Health Information). Its stringent regulations protect healthcare data from fraud, data breaches, and ransomware attacks. The number to which has reached 5150 in the last decade.
To assure that healthcare data is protected at all times by covered entities (CE) and business associates (BA), a HIPAA risk assessment is conducted by a HIPAA compliance officer or a security officer. The following HIPAA risk assessment template is a guide for vendors, BA, and CE on how to conduct risk analysis and all the essential aspects needed for it.
A Brief on HIPAA Risk Assessment
HIPAA risk assessment helps healthcare organizations and vendors to identify threats, analyze current security measures, and take essential steps to eliminate potential threats. The OCR (Office for Civil Rights) issues guidelines on the provisions of the HIPAA Security Rule. These guidelines help organizations to implement physical, administrative, and technical safeguards to protect ePHI. So, the Security Rule mandates organizations to examine vulnerabilities and risks, and implement appropriate security measures to protect data from threats.
HIPAA risk assessment is the first step in incorporating the Security Rule. Implementation specifications for HIPAA risk analysis are either required or addressable; meaning:
- Required specifications are documents and policies that every covered entity and business associate must have in place.
- Addressable implementation specifications offer flexibility to CE and BA concerning compliance and security rules. They can decide whether a security measure is reasonable and appropriate to apply.
Security Risk Assessment Tool
According to healthit.gov, the ONC (National Coordinator for Health Information Technology) in collaboration with the HHS Office for Civil Rights (OCR) has developed an SRA (Security Risk Assessment) tool. This tool is made to help healthcare providers carry out security risk assessments as mandated by the HIPAA Security Rule and the CMS Electronic Health Records Incentive Program.
The target audience for the Security Risk Assessment Tool are small and medium scale providers, and may not be fit for larger healthcare facilities. The SRA is a desktop application that guides users through multiple-choice questions, help with asset and vendor management, and threat assessments. Reports can be printed and saved after the assessment is finished.
Key Terminologies for Risk Assessment
- Vulnerability: As defined by the NIST (National Institute of Standards and Technology), vulnerability is a flaw in a system security design, process, internal controls, or implementation. It directly hampers the security policy. Vulnerabilities are of two types: technical and non-technical. The former include flaws in the development of systems or incorrectly configured systems. Whereas, the latter includes non-existent policies, guidelines, or procedures.
- Threat: NIST describes threat as the potential of a person or a thing to trigger (accidentally or intentionally) a vulnerability. Threats can be grouped into human, natural, and environmental. Examples include floods, malicious software uploads, unauthorized access to ePHI, and power failures.
- Risk: NIST explains risk as a function occurred due to a given threat or a specific vulnerability, and the consequence of which impacts an organization. It is a combination of multiple factors and events (vulnerabilities and threats).
HIPAA Risk Assessment Template
1. Analyze the Scope of the Risk Assessment
To measure the scope of the HIPAA risk assessment, take into account all the protected health information in every format. This includes electronic media such as floppy discs, hard drives, smart cards, CDs, portable electronic media, personal digital assistants, etc. Electronic media also consist of a complex network connected over multiple locations.
2. Gather Relevant Data
During data collection, healthcare organizations and vendors must be aware of where the ePHI is stored, transmitted, and maintained. CE and BA can gather relevant data from the following methods:
- Performing interviews with the Chief Information Officer, users, and Risk Management Team
- Reviewing past or existing projects and documents such as IT processes and policies, vulnerability and threat reports, classified information, and incident reports.
- Using data gathering tools and techniques as needed
- Visit sites of hospitals and clinics.
Note: All the data collected is documented for further assessment. Mention the level of sensitivity for each data type, for instance, test results (radiology, lab) are highly sensitive data, and PPE inventory is a low sensitive data.
3. Identify Threats and Vulnerabilities
The third aspect of the HIPAA risk assessment template is to identify and document all the potential threats and vulnerabilities faced by healthcare organizations and vendors. Threats can be unique to circumstances, or may be triggered or exploited by a third party. Some of the common vulnerabilities and threats for ePHI include:
- Staff misconduct
- Improper data disposal
- Unsecured devices
- Improper ePHI disclosures
4. Check Current Security Measures
Check whether all security measures used to protect ePHI are in place. Measures may differ as per the size of a healthcare organization. For example, a small clinic will have few threats and vulnerabilities to check on as compared to a huge multi-specialty hospital. Smaller hospitals and clinics have few variables to consider, and the confidentiality, availability, and integrity of healthcare data will differ from facility to facility.
Aspects to check on can be technical and non-technical. These include:
- Access control
- Audit controls
- Automatic log-offs
- Policies and procedures
- Physical security measures
5. Determine the Impact of Potential Threats
Consider the impact of potential threats and vulnerabilities on healthcare organizations and facilities. Assess the length at which an organization can get affected by potential threats. CE and BA may make use of qualitative or quantitative means to determine the impact. Consider the following impacts at the beginning:
- Complete loss of health data or ePHI
- Financial losses
- Unauthorized access to healthcare data
- Loss of physical assets
- Temporary downtime of the servers
6. Determine the Level of Risk
Next on the HIPAA risk assessment template is to assign risk levels for every threat and vulnerability identified. For example, a risk scale can be measured from 0 to 10, and named as low, medium, and high level risks. HIPAA risk assessment can be conducted for instance at three different times, before software installation, after implementation of software, after a breach, and for periodic reviews.
7. Finalize the Risk Assessment Document
There’s no fixed format to document the risk assessment. But, all the threats, vulnerabilities, potential risks, and impact, has to be mentioned in the document. Also, consider security risk measures such as organization policies, the effectiveness of security measures, and regulatory requirements for implementing security rules.
8. Conduct Periodic Reviews and Updates of Risk Assessment
HIPAA risk analysis must be an ongoing process and should be conducted periodically to maintain the privacy and security of ePHI. The Security Rule doesn’t specify the number of times an update is needed, it depends on the covered entities. It can be conducted bi-annually, annually, or once in 2 years. Ideally, if any new technology or business operation is planned, then consider performing a risk assessment right away as it reduces the burden of performing it at a later date.
HIPAA risk analysis is an essential step for covered entities and business associates to safeguard ePHI. So, every healthcare software, website, application, and hardware is made HIPAA compliant. Failure to do so can result in penalties, criminal charges, and fines that can go up to millions, as per the scope of the violations.
Mandating risk analysis not only prevents penalties, but also gives reassurance to patients that their data is in safe hands, and so is their privacy. So, to enable only HIPAA-compliant healthcare software in your organizations, get in touch with Arkenea, a top-notch healthcare software development company that specializes in developing custom healthcare software that complies with HIPAA, HITECH, and other regulatory rules.