Prioritize HIPAA Compliance Efforts
By Tod Ferran
Find your risks, and then implement security measures to remedy them.
Having a successful HIPAA risk analysis and risk management plan will help you to maintain compliance within your organization. Unfortunately, many organizations are unprepared to tackle the project, and either give up or lose focus on what’s important. Don’t let your organization become a statistic! By prioritizing HIPAA compliance, you’ll soon be on your way to accurately assessing your organization’s security posture and developing a successful plan for managing risk.
Start with a Risk Analysis
A risk analysis is a prerequisite to your organization’s HIPAA Security Rule compliance efforts. Its purpose is to assess potential vulnerabilities, threats, and risks to protected health information (PHI) your organization is privy to. Let’s dive into the methodology for conducting a risk analysis the U.S. Department of Health & Human Services (HHS) would be proud of.
Step 1: Set Your Scope by Identifying PHI Flow
To set your scope on the areas within your organization that must be secure, you have to understand how patient data flows within your organization. If you know all of the places PHI is housed, transmitted, and stored, you can better safeguard those vulnerable places.
There are four main locations to consider when defining your scope:
Where does PHI enter your environment?
Identify all PHI inputs to determine exactly where security should begin at your organization.
When considering the origins of PHI, think of both new and existing patient records. For example, PHI can begin with patients filling out their own information on your paper forms or with business associates requesting information about a current or former patient.
What happens to your PHI, and where is it stored?
It’s not enough to know where PHI begins. You must know exactly what happens to it once it enters your environment:
- Does it go directly to accounting?
- Is it automatically stored in your electronic health record?
- If it is emailed, is it encrypted?
To understand what happens to PHI in your environment, note all hardware, software, devices, systems, and data storage locations touching PHI in any way. Also note all human contact with PHI.
Where does PHI leave your environment?
Many workforce members forget they must protect PHI throughout its entire lifecycle. That includes when it leaves your hands. If PHI leaves your organization, it’s your job to ensure it’s transmitted or destroyed in the most secure way possible.
Where does PHI leak?
Once you’ve identified your organization’s PHI lifecycle, look for any gaps in security. In particular, environment weaknesses provide gaps for unsecured PHI to leak in or out of your organization.
The best way to find all possible leaks is by creating a PHI flow diagram. Essentially, a PHI flow diagram documents all the information you found above and lays it out in a graphical format. A PHI flow diagram isn’t a requirement, but it’s a lot easier to understand PHI trails when looking at a diagram, such as the one at http://blog.securitymetrics.com/2014/11/diagrams-help-hipaa-audits.html.
Step 2: Identify Vulnerability, Threats, and Risks to PHI
Once you know where PHI is stored and how it flows within your organization, the next step is to identify any problems within that scope.
Problems to look for:
- What vulnerabilities exist in the system, applications, processes, or people?
- What threats — internal, external, environmental, and physical — exist for each of the vulnerabilities you identified?
- What is the probability of each threat triggering a specific vulnerability? This is risk.
What are your vulnerabilities?
Something that is vulnerable is flawed in some way, be it a component, procedure, design, an implementation, or an internal control. Vulnerabilities must be fixed.
Examples of vulnerabilities seen while conducting HIPAA risk analysis:
- Unpatched operating system software
- Website coded incorrectly
- Lack of office security policies, or failure to follow established policies
- Misconfigured Internet security or no firewall
- Computer screens in view of public patient waiting areas
What are your threats?
A threat is the potential for a person or thing to trigger an existing vulnerability. Generally, it’s difficult for threats to be controlled. Although most threats remain out of your control to change, they must be identified and assessed for risk. Location, organization size, and systems are all potential threats.
Examples of threats I’ve seen while conducting HIPAA risk analysis include:
- Geological threats, such as landslides, earthquakes, and floods
- Hackers downloading malware onto a system
- Inadvertent data entry or deletion of data
- Power failures
- Chemical leakage
- Workforce members
- Business associates
What are your risks?
Risks are the probability a particular threat will exercise a particular vulnerability, and the resulting impact on your organization.
In a system that allows weak passwords, for example, the vulnerability is the password because it is susceptible to attack. The threat is a hacker could crack the password and break into the system. The risk is the probability of a hacker exploiting this weakness.
Other examples of risks seen during HIPAA risk analysis include:
- Unencrypted laptop ePHI. There is an extremely high probability (high risk) that an external hacker can access unencrypted electronic PHI (ePHI) on a lost or stolen laptop.
- Windows XP machine with access to the Internet. There is an extremely high probability (high risk) that an external hacker will exploit security flaws (in outdated software) using malicious software to gain access to PHI.
Analyze HIPAA Risk Level and Potential Impact
After identifying any possible security problems in your organization, it’s time to decide what risks could and will impact your organization. To analyze your risk level, first consider:
- Likelihood of occurrence: Just because you’re threatened by something, doesn’t necessarily mean it will affect you. For example, an organization in Texas or Vermont could be struck by a tornado; however, the likelihood of a tornado striking Texas is much higher. So the Texas-based organization’s tornado risk level is higher than the Vermont-based organization’s risk.
Here’s another example: Two organizations — one a large hospital group in New York City and the other, a single provider office in Wyoming — have remote access through the Internet without two-factor authentication and are set up with a weak password. The risk is the same for both: Extremely high!
- Potential impact: What is the effect the risk you’re analyzing will have on your organization? For example, although a computer screen might accidentally show ePHI to a patient in the waiting room, it probably won’t have as big of an impact as a hacker attacking your unsecured Wi-Fi and stealing all your patient data.
Every vulnerability and associated threat should be given a risk level, typically assigned as high, medium, or low. By documenting this information, you’ll have a prioritized list of all security problems at your organization.
Create Your Risk Management Plan
The risk management plan is the compliance step that works through issues discovered in the risk analysis and provides a documented instance proving your acknowledgment (and correction) of PHI risks and HIPAA requirements.
Although the risk analysis outcome should directly feed into a risk management plan, your plan should also include all HIPAA security, privacy, and breach notification requirements. For example, identifying and documenting job roles are HIPAA requirements, but this information doesn’t necessarily come from a risk analysis.
Although specific items included in a risk management plan vary, here are a few industry best practices to include:
- Each HIPAA rule and its corresponding resolution
- Risk level assigned in your risk analysis
- Date completed (for both HHS documentation and your own records)
- Completed by section (great for practices where two or more people are completing a risk management plan together)
- Notes section (in case you want to jot a reminder for later)
Consider defining a timeline for HIPAA goals in your plan, like so:
- When do you want to complete your risk analysis?
- When do you want to complete your risk management plan?
- When do you want to train employees?
Identify Top Security Measures
The most important part of your risk management plan is what you do about the risks identified in the risk analysis. Start with the top-ranked risks and identify the security measures that fix those problems. For example, if your risk is employees throwing PHI in the trash, your security measures could be quarterly employee security training and replacing trash cans with shredders.
Implement, Rinse, Repeat
Once your risk management plan is complete, it’s time to implement it. A prioritized HIPAA compliance plan is a rinse-and-repeat process. One of the most important parts of HIPAA is documentation. If you don’t document, you can’t prove to HHS that you’ve performed a complete and thorough risk analysis. They will want to see documentation, your risk management plan, and monthly progress on addressing the items identified in that risk management plan.
Tod Ferran is a security analyst for SecurityMetrics, Inc. With his 25 years of IT security experience, he provides security consulting services and HIPAA/PCI compliance assessments for organizations throughout the United States and across the globe. Prior to joining SecurityMetrics, Ferran was president for several successful managed service providers and directed software/security development teams in the United Stated, India, and the Netherlands.