Prioritizing HIPAA Compliance Efforts
by Tod Ferran
Risk analysis is crucial to assess your organization’s potential compliance vulnerabilities, threats, and risks to protected health information (PHI). To begin, you need to know how patient data flows within your organization. There are four main locations to consider
- Where PHI enters your environment: Identify all PHI inputs.
- What happens to PHI in your environment, including where it is stored: Does it go directly to accounting? Is it automatically stored in your EHR? If it is emailed, is it encrypted?
- Where PHI leaves your environment: If PHI leaves your organization, you must that ensure it is transmitted or destroyed securely.
- Where does PHI leak? Find the gaps by creating a PHI flow diagram.
Next, you must identify:
- Your vulnerabilities: You can fix flaws in components, procedures, design, implementation, or internal controls (e.g., computer screens in view of public patient waiting areas).
- Your threats: Most threats are out of your control, but you should identify them to assess the risk. Examples include:
Geological threats, such as landslides, earthquakes, and floods
Hackers downloading malware onto a system
- Your risks: This is the probability that a particular threat will exercise a particular vulnerability.
For example, in a system that allows weak passwords, the vulnerability is that the password is easily attached. The threat is that a hacker could break into the system. The risk is the probability of a hacker exploiting this weakness.
Now, decide what risks could or will affect your organization. Consider:
- Likelihood of occurrence: Just because you are threatened doesn’t necessarily mean it will affect you. For example, the likelihood of a tornado striking is higher in Texas than in Vermont.
- Potential impact: For example, allowing a patient to accidently view PHI on a computer screen probably won’t have as big of an impact as a hacker attacking your unsecured Wi-Fi.
Every vulnerability and associated threat should be given a risk level (high, medium, or low) to prioritize security problems.
Next, create a risk management plan to work through issues discovered in the risk analysis, and to prove your acknowledgement (and correction) of PHI risks and HIPAA requirements. Items included in a risk management plan vary, and may include
- Each HIPAA rule and its corresponding resolution
- Risk level assigned in your Risk Analysis
- Date completed
- Completed by section (great where two or more people are completing a Risk Management Plan together)
- Notes section, if you want to jot a reminder for later
- All plans should include all HIPAA Security, Privacy, and Breach Notification requirements
Plan what you’re going to do about the risks you identified in your Risk Analysis. Start with the top-ranked risks and identify the security measure that fixes that problem.
Finally, it’s time to implement. Documentation is vital: If you don’t document, you can’t prove that you’ve performed a complete and thorough risk analysis.
Bio: Tod Ferran is a Security Analyst for SecurityMetrics, Inc. With his 25 years of IT security experience, he provides security consulting services and HIPAA/PCI compliance assessments for organizations throughout the United States and across the globe. Prior to joining SecurityMetrics, Ferran held the president position for several successful managed service providers and directed software/security development teams in the US, India, and Netherlands.