To comply with HIPAA, and to successfully attest to the government’s requirements for meaningful use of EHRs, medical practices must conduct a security risk analysis.
Essentially, that means practices must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI), according to the HIPAA Security Rule.
While this process sounds daunting, it may not be as costly or as time-consuming as you think.
During their presentation at this year’s Healthcare Information and Management Systems Society (HIMSS) Conference in Orlando, Fla., Joy Pritts, chief privacy officer at the Office of the National Coordinator, and Johnathan Coleman, principal at Security Risk Solutions, Inc., discussed eight steps to conducting a security analysis. The steps are based on recommendations provided by HHS' Office for Civil Rights (OCR).
"We all know that you can never make something 100 percent secure," said Pritts. "That is not a reasonable goal and that is not what the [HIPAA] Security Rule requires. It requires taking measures that reduce the risk to something that’s reasonable and appropriate."
Step 1: Identify the scope of the analysis. Create a statement identifying the scope of the analysis at your medical practice, said Coleman. That scope should include all the potential risks and vulnerabilities to the confidentiality, availability, and integrity of ePHI that your organization uses, stores, and transmits. If your practice is using mobile devices, be sure to include them. Total failure to account for mobile devices is a common problem cited by OCR, said Pritts.
Step 2: Gather the data. Identify where ePHI is stored, received, maintained, or transmitted at your practice. To accomplish this step, Coleman suggests using information pulled from past or existing projects, and interviewing staff and physicians to determine how they use information.
Step 3: Identify and document potential threats. Document potential threats to ePHI, including:
• Threats involving people with network access (such as hackers);
• Threats involving people with physical access (such as loss and theft);
• Environmental threats (such as natural disasters); and
• System threats (such as spontaneous hardware failure or software defects).
Step 4: Assess current security measures. Determine whether your current security measures to protect ePHI are adequate, said Coleman. Consider:
• Administrative security measures (such as policies);
• Technical measures (such as encryption and automatic log off of computers); and
• Physical measures (such as physical access to computers and theft prevention systems).
Step 5: Determine the likelihood of occurrence. Assess the probability that a threat will trigger or exploit a particular vulnerability, said Coleman. For instance, if your practice is located in an area prone to power outages, that threat should rate high on your risk probability. "Looking at what’s happened in the past is a good indicator" of vulnerability, he said.
To capture this information (and provide documentation of your risk analysis, if necessary), Coleman recommends creating a table listing threats to ePHI, a scenario in which that threat could occur, the possible outcome of that threat, your existing controls to mitigate those risks, and the likelihood that the threat will occur.
Step 6: Determine the potential impact. Determine what potential impact a threat could have on your practice and your patients, said Coleman. Add that information to the table you created in Step 5.
For instance, if one of the threats you have identified is: "Hacker gains access to the network and posts ePHI on a website," the impact you identify might be: "Confidentiality of multiple patient records is jeopardized compromising the practice’s reputation, customer confidence, and leading to financial and legal ramifications."
Step 7: Determine the level of risk. Weigh the likelihood of a threat occurring versus the potential impact of that threat. For instance, if the likelihood that a hacker will gain access to your network is low, but the potential impact on your practice and patients is high, you might rank that level of risk as "medium," said Coleman. Again, document this information.
Step 8: Identify security measures and finalize documentation. Prioritize each risk area according to its overall ranking. Then, identify the actions required to mitigate the risk, said Coleman.
"Document, document, document," he said. "If you have all of this stuff in a binder, not only will you be able to demonstrate your due diligence, but in a year or so when you redo your risk assessment, it will make that repeat assessment much easier to do."