The HIPAA Security Risk Assessment The Foundation For Your Practice’s HIPAA Security Compliance Plan

Effective April 21, 2005, all “covered entities” — meaning most health care providers — must be in compliance with the HIPAA Security Rule. Despite the publicity and media coverage of the importance of this and other HIPAA rules, many small- to mid-sized practices have little training in the regulation and its mandates. In fact, many don’t understand the specifics of HIPAA, are not in compliance with its existing requirements, and have no plan to get fully compliant.
Guidance is available on some Web sites, but it is typically written for the largest covered entities that have trained staff dedicated to compliance issues. This guidance tends to be so confusing and overwhelming to many individuals that it may cause them to procrastinate and even skip critical steps. Some practice administrators are under the misconception that HIPAA security issues are being taken care of by their software or billing vendors, and this should not be the case. Some workforce members at small practices don’t even know what “PHI” stands for.

One of the first steps a HIPAA covered entity will face in addressing the impending Security Rule is the completion of its security risk assessment. I refer to this as the foundational risk assessment because it forms the backbone to the covered entity’s entire HIPAA Security Rule compliance plan. The completion of the security risk assessment is not only mandated by the HIPAA Security Rule, it simply makes sense from a resource and effort perspective. You want to make sure your entity’s resources and your mitigation efforts are commensurate to the risks your entity is facing.

The following represents a simple approach to the security risk assessment that even the smallest entity could follow. This approach will enable the entity to identify, analyze, and document risk, and then carry the risk-assessment process through to its completion. Although non-technical staff in your entity can help assess the impact of risks once they are identified, your entity might need the assistance of a technology professional to identify risks that you might not even be aware of. Ideally, your entity will conduct its security risk assessment via a small committee.

Before considering the Risk Assessment process, some preliminary information should be reviewed.

• Risk: The likelihood of a given threat-source exploiting a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
• Risk Assessment: The first step in the entire risk-management process used to determine potential threats and associated risk. The results of the risk assessment will help identify appropriate controls or security measures to reduce or eliminate risk.
• Risk Assessment Committee: Selected staff members charged with completing a risk assessment and documenting the results. Committee members should be from all responsibility levels and areas of the organization.
• Risk-management Process: Comprised of three steps: risk assessment, risk mitigation, and evaluation/review.
• Vulnerability: A weakness in a system that can be accidentally triggered, or intentionally exploited by a threat-source.
• Threat: The potential for a particular threat-source to exploit a vulnerability.
• Threat-source: Threat sources can be natural (flood, fire); environmental (power failure); or human (hacker); and can originate internal or external to the organization.

Approach the security-risk-assessment process in three distinct sections:

• Identify vulnerabilities in all of your IT systems (software, hardware, devices, vendor services, operating systems, etc.), and the threat-sources that can exploit those vulnerabilities: Identify and list each IT system in use and determine how it is vulnerable. For example, a PDA device containing ePHI is an IT system. The ePHI that resides on a PDA is vulnerable because PDA devices are portable and easily lost/stolen. Identify and list the threat-sources that can act on each system. For example, a threat-source to the PDA could be a thief trying to obtain that PDA. More common threat-sources include hackers, fires, floods, viruses, and disgruntled employees.
Identifying IT security vulnerabilities does require expertise in the IT security field. “I didn’t know,” will not be a good defense should an unauthorized disclosure of ePHI take place.
• Assess the likelihood and impact of the threats: Don’t get bogged down in quantifying precise percentages for likelihood. Qualitative terms such as ‘high,’ ‘medium’ and ‘low’ can be used to describe likelihood. You’ll be surprised at how well most staff can qualify IT threats in terms of ‘remote,’ ‘probable,’ and ‘highly likely,’ even without formal IT training. Assessing the impact can be done in qualitative terms as well. Most staff members are capable of measuring impacts in terms of ‘minimal,’ ‘moderate,’ ‘high,’ ‘catastrophic,’ etc. “The loss of our Internet-based EMR system for two days would be catastrophic to our practice.”
• Identify and assess the sufficiency of controls to mitigate those risks: Most entities have some IT controls in place to mitigate risks even though staff members might not recognize them as controls. Having a password policy in place to gain access to the entity’s practice-management software is an example of a very simple IT control. Having a firewall in place to block certain Internet traffic is another example of an IT control. The assistance of a technology consultant with specific training in IT controls might be needed to assess the effectiveness of your entity’s controls or to recommend additional controls that might be needed.
Do not assume that because a vulnerability hasn’t yet been exploited in your entity, that it won’t be in the future.

The steps outlined above three sections should help the risk assessment committee assign a weighted risk value to all of the risks it identifies so that it can focus its resources on the worst risks.

The results of the security risk assessment can be reported in either a narrative or graphical format, or a combination of both. The written documentation should include each meeting and plan of action. This should be kept indefinitely.

The security risk assessment process forms the foundation for an entity’s response to the HIPAA Security Rule. To those who have not done a security risk assessment, the process can seem daunting. By sticking to the basics, however, an entity can prepare a security risk assessment report that can become the roadmap to the remainder of the security rule compliance process. In addition to being mandated by the HIPAA Security Rule, a well-conducted security risk assessment should add value to the entity by ensuring that security measures put in place are justified.

If outside assistance is needed for the project, consider having a security risk consultant act as a coach for the risk assessment committee, walking the Committee through the process, providing feedback, and drafting the risk assessment report.

Sharon A. Blanchette, CPA, MBA, is an independent healthcare IT consultant with Northeast HealthCare IT, LLC, collaborating with the Health Care Services Division of Longmeadow-based Meyers Brothers Kalicka, P.C., Certified Public Accountants and Business Consultants; (413) 567-6101