If you don’t know what you have, or where it’s located, you can’t protect it. This simple concept trips up nearly every organization investigated by the Office for Civil Rights (OCR), the agency that enforces HIPAA. Organizations are still not understanding or not completing their HIPAA Risk Analysis.
OCR issued its Summer 2020 Cybersecurity Newsletter today to give an important reminder. The fundamental principle of the HIPAA Security Rule is that covered entities and business associates are required to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that they create, receive, maintain, or transmit. The first step is a complete HIPAA Risk Analysis. A Risk Analysis is is an accurate and thorough assessment of the potential risks and vulnerabilities to all PHI, including electronic PHI, held by an organization. Covered entities and business associates are both required to do a HIPAA Risk Analysis.
HIPAA Risk Analysis is Too Often Missing
OCR notes that despite this long-standing HIPAA requirement, they frequently find that organizations do not know where all of the ePHI they hold is located. To fix this, OCR recommends creating and maintaining an up-to-date information technology (IT) asset inventory as a tool to create “a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance”.
IT Asset Inventory is More than a List
OCR explains that the inventory should be “a comprehensive listing of an organization’s IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset).”
The HIPAA E-Tool® Risk Analysis – Risk Management module includes exactly what OCR prescribes – an interactive inventory list that allows for entry of detailed asset information (vendor, version, person accountable) with respect to ePHI. For very large organizations with thousands of electronic assets, The HIPAA E-Tool® offers a separate database to import the key information required, in bulk.
OCR recommends an asset inventory can include (list below from the August 25 newsletter):
- All hardware assets, including electronic devices and media, which make up an organization’s networks and systems. This can include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers.
- Software assets that are programs and applications that run on an organization’s electronic devices. Well-known software assets include anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems. Though lesser known, there are other programs important to IT operations and security such as backup solutions, virtual machine managers/hypervisors, and other administrative tools that should be included in an organization’s inventory.
- Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is also important to consider in the Risk Analysis.
Even IT assets that don’t necessarily contain ePHI should be included. Because the Internet connects (nearly) everything electronic with an organization, even assets that do not directly store or process ePHI may still offer a pathway in to the larger IT system by cyberthieves, where they can eventually reach ePHI. The Internet of Things or IoT, is here, today, not a futuristic concept. Unpatched devices on the network may be vulnerable and if the network lacks firewalls, segmentation, or other techniques to deny a cyberthief’s lateral movement these can provide a foothold into an organization’s IT network, leading to compromised ePHI.
The Risk Analysis is More than IT Assets
The RA-RM module includes more than an IT inventory though. It includes an inventory of business associates, or if you are a business associate, an inventory of subcontractor business associates. It includes a Security Rule Checklist, a workforce roster (and a place to record workforce HIPAA training), a method to name threats and vulnerabilities to electronic and non-electronic PHI (required by HIPAA). And finally the interactive forms create a Risk Management plan, and everything is documented, in one place.
Take care when setting out to complete the Risk Analysis – don’t stop with the NIST Cybersecurity Framework guidance. The NIST guidance is part of the story, not the whole, when it comes to HIPAA compliance.
OCR Gives Good Advice – it Pays to Listen
This latest reminder from OCR about the importance of an IT asset inventory is part of a larger body of communications, from newsletters, public pronouncements and news releases about OCR investigations. OCR is an open book when it comes to HIPAA priorities. Whether it’s top enforcement targets, the patient’s right of access initiative or changes due to COVID-19, OCR communicates its priorities – at The HIPAA E-Tool® we’re listening and will keep you up to date.