Kevin Atkins, CAHIMS
Engagement Manager
HealthPOINT at Dakota State University
What to expect from a HIPAA Security Risk Assessment (SRA)
Objectives
Discuss HIPAA Requirements for a SRA
Define what constitutes a risk
Identify the elements of an SRA
Origins of Security Risk Assessment
HIPAA Security Rule
Proposed in 1998………………..…Enacted in 2003
Mandatory in 2006
45 CFR (Code of Federal Regulations) Part 160
Subparts A & C of Part 164 (164.302 – 318)
Health Information Technology for Economic and Clinical (HITECH) Act
Office for Civil Rights (OCR) responsible for guidance and enforcement
Purpose of Security Rule
Establishes national standards to protect ePHIIncludes Implementation Specifications
Requires Administrative, Physical, Technical safeguards
Ensure confidentiality, integrity, security of ePHI
All ePHI created, received, maintained or transmitted is subject to Security Rule
Requires entities to
Evaluate risks and vulnerabilities
Implement reasonable and appropriate security measures (beef this up little)
HIPAA Requirements
Security Management Process Standard
164.308(a)(1)
Four required Implementation Specifications
164.308(a)(1)(ii)(A)
Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
HIPAA Definitions
Vulnerability
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Threat
The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
Natural (floods, earthquakes, tornadoes)
Human (hacking, unauthorized access)
Environmental (power failure, chemicals, pollution)
HIPAA Definitions
Risk
NIST SP 800-30: “The net mission impact considering (1) the probability that a particular threat will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and (2) the resulting impact of this should occur”.
Arise from legal liability or mission loss due to:
• Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
• Unintentional errors and omissions
• IT disruptions due to natural or man-made disasters
• Failure to exercise due care and diligence in the implementation and operation of the IT system.
HIPAA Definitions
IN OTHER WORDS!!
In order to have a risk you must have
An asset (something of value) AND
A threat (typically something external) OR
A vulnerability (typically something internal)
If any are taken away, there is no risk!
SO
Risk is a function of:
(1)The likelihood of a given threat triggering or exploiting a particular vulnerability
(2)The resulting impact on the organization
Risk-Level Matrix
Sample risk-level matrix
Discussion item:Low level threat – but DEVASTATING impactChart shows low risk. Agree or disagree? Why?
Qualitative vs Quantitative
Quantitative Assessment
Cons: Exhaustive, costly, time-consuming
Pros: Identify greatest risk based on financial impact
Qualitative Assessment
Cons: Subjective, value of loss not quantified
Pros: More common, quicker to complete, focus is on understanding the risk
List different tools available for each (Delphi Technique)
2 or 3 slides
Qualitative & Quantitative tools
Qualitative
Delphi Technique: risk brainstorming – identify, analyze, evaluate risk on individual and anonymous basis.
Structured What-If Technique (SWIFT): team-based approach – uses “What If” considerations.
https://www.project-risk-manager.com/blog/qualitative-risk-techniques/
HealthPOINT: hybrid approach (qualitative on the front end, quantitative on back end; quantitively algorithm can be overridden in final report.
Quantitative
Financial sector, chemical process industry, explosives industry (Wikipedia)
https://en.wikipedia.org/wiki/Quantitative_risk_assessment_software
Elements of a Security Risk AssessmentScope
Includes potential risks and vulnerabilities to the
confidentiality, availability and integrity of ALLePHI that an organization creates, receives, maintains, or transmits. [164.306(a)]
**REMEMBER** ePHI IS more than medical records
Billing information Appointment informationInsurance claims information Reports
What am I forgetting?
Elements of a Security Risk AssessmentData Collection
Create an ePHI Inventory
Must identify (and document) where the ePHI is stored, received, maintained or transmitted.
Where to look for ePHI
Elements of a Security Risk AssessmentIdentify and Document Potential Threats and Vulnerabilities
Identify and document reasonably anticipated threats to ePHI:
Unique to circumstances of environment
If exploited create risk of inappropriate access or disclosure
Elements of a Security Risk AssessmentAssess Current Security Measures
Assess and document security measures used to safeguard ePHI, whether already in place, and if configured and used properly.
Will vary among organizations
Small orgs – fewer variables to deal with
Large orgs – many variables
Workforce
IT systems
Locations
Elements of a Security Risk AssessmentDocument Business Associate Agreements
Business Associates were (are) focus of OCR during Phase II audits
OCR requested specific information
27 data elements
Business Associate Name, type of service, 1st/2nd points of contacts – fname, lname, address, phone, fax, email, etc. etc.
OCR designed sample template – NOT downloadable
Email me for a copy ☺
Elements of a Security Risk AssessmentReport
Final element of a SRA is the report.
Presents/summarizes results
Used to guide/prioritize remediation
Final Report Example
Summary
A Risk Analysis
Designed to aid you in protecting the confidentiality, integrity, and availability of ePHI
May be required for Medicare and Medicaid incentive payment programs (MIPS, Meaningful Use, etc.)
Many methods available (consultant, checklist – (ill advised), online tool, etc.)
ePHI IS more than just the medical record
The End
Kevin Atkins, CAHIMS
Engagement Manager
HealthPOINT at Dakota State University
(605) 270-1642
THANK YOU