Brace Yourself — HIPAA Security Risk Assessment Is at Your Door

I’m horrified by the torture organizations go through to prepare for HIPAA audits. To help, I’ve put together the key concepts around risk analysis and the seven steps for getting started.

Do you work for a HIPAA-covered entity or business associate? Then you may be wondering exactly what IT risk assessment is required for HIPAA compliance, why organizations fail to do it properly, and where you should start to pass an upcoming HIPAA audit. Here you will find answers to these questions. Let’s take it step by step.

HIPAA risk assessment: Everyone needs it, but nobody does it properly

IT risk assessment (or “risk analysis” as HIPAA refers to it) is one of the key requirements for HIPAA compliance. It is essential for protecting electronic protected health information (e-PHI) from various cyber threats. Failure to perform continuous security risk assessment can lead to data breaches and failed compliance audits, which in turn, can result in civil and criminal penalties — to get the idea, just look at the article headings in the news section of the website for the HHS Office for Civil Rights (OCR).

Unfortunately, both breach investigations and desk audits conducted by the OCR show that lack of proper IT risk assessment analysis and risk management is, and will continue to be, an issue for HIPAA-covered organizations. Even as on-site HIPAA audits approach, organizations struggle to establish enterprise-wide security risk analysis and respond with proper controls and procedures.

So, what’s the hitch?

  1. IT risk assessment must be continuous. IT risk assessment is a complex, continuous process that requires skills and knowledge to be established and maintained. It is by no means a one-time, set-it–and-forget-it task.
  2. There is no clear workflow. Because so many different types of organizations are subject to HIPAA compliance, the regulation lacks specific guidance on what risk assessment should consist of. Therefore, many organizations that need to comply with HIPAA don’t even know where to start or whether they even understand IT risk assessment the same way OCR does.

What is risk assessment in the context of HIPAA?

According to HIPAA (§ 164.308), risk analysis is:

“An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate”

Its purpose is to identify conditions where e-PHI could be disclosed without proper authorization, improperly modified, or made unavailable when needed.

The HIPAA Security Rule applies to all e-PHI that is created, received, maintained or transmitted by a HIPAA-covered entity, which includes business associates. Moreover, proper IT risk analysis must cover “all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.”

But even after we are done with all these definitions, it’s still somewhat vague, isn’t it?

Where to start with IT risk assessment

Since the HIPAA Security Rule doesn’t provide exact guidance about what risk assessment must include, it is your responsibility to determine what scope of risk and security assessment would be comprehensive for your organization and how you can achieve it. Of course, risk assessment is such a huge area that you can’t do everything it implies, regardless of your resources. Rather, you must be prepared to prove to auditors that you took all necessary and reasonable measures to protect your e-PHI by identifying risks, assessing their likelihood and impact, and addressing the ones with highest priority. You also need to have a persuasive explanation why certain measures are not appropriate for your environment and be able to show the alternatives you adopted.

HHS does offer a document called Guidance on Risk Analysis Requirements, which can give you an idea of what is expected from you from the auditors’ point of view. It suggests including the following elements in your risk assessment:

  1. Identify your e-PHI.

You need to find out what kind of e-PHI your organization deals with, where it is stored, and how it is received, maintained and transmitted. Note that sensitive data has a tendency to spread across multiple systems and applications; it is not necessarily only where you think it is.

  1. Identify external sources of e-PHI.

If you work with partners or vendors with whom you share e-PHI, you should make a detailed list of all your data sources and make sure their security policies are in line with HIPAA.

  1. Identify threats to e-PHI.

There are human, natural and environmental threats to information systems that contain sensitive data. There are plenty of ready-to-use forms that list threats. Find one online and use it as a starting point to reduce the risk of missing something important.

  1. Determine the likelihood, impact and risk level of each threat.

The list of threats is long, so you have to prioritize your security efforts. Auditors will want proof that you worked hard to mitigate the most pressing risks.

  1. Assess your current security measures and update them as needed.

Are your policies and controls sufficient to mitigate the risks you identified as high level? If not, update them to address current threats, and make sure they will also accommodate new circumstances and threats. Repeat this step on a regular basis. Adversaries are tireless and ever-innovative; do your best not to lag behind.

  1. Document everything.

If it has not been documented, it never existed. You need to provide auditors with evidence of compliance for the past 6 years, including everything from risk assessment documentation to policies and log data. Just keep track of everything right from the beginning.

  1. Never stop.

Make the risk assessment process continuous. Re-evaluate your risks every one to three years to ensure you are staying up to date in your efforts and practice.

Extra reading: The guidance document is largely based on the recommendations of the NIST framework, but it is a good idea to also familiarize yourself with the NIST framework itself. It will definitely be helpful in your compliance endeavors, as it offers an extensive list of IT risk assessment tasks and explanations of how to complete them, as well as a set of templates and examples. And, unlike the many other compliance materials that are vague and hard to follow, NIST is actually a pleasure to read.

Don’t think you will be able to do everything required manually or in-house? There are many solutions on the market that can help. Just be aware that each solution covers only certain areas of compliance and risk assessment, and you need to find what suits your needs best.

Does your organization have to comply with HIPAA? Do you think you are ready to pass an audit? What best practices did you use when conducting IT risk assessment? What have you found to be the most difficult part of IT risk assessment for HIPAA?

Please use the comment section below to share your stories.