Do your HIPAA Risk Analysis. It can bring peace of mind.
You can find lots of blogs and news articles about the rise in cybersecurity threats to healthcare, how 2021 was the year of the highest number of data breaches yet, and how ransomware is skyrocketing. These are all important and timely messages about the threat landscape, but instead of writing about one of those macro topics, today we want to focus on a micro topic. You have the power to blunt those threats by doing a Risk Analysis.
Take one step forward and begin today.
Risk Analysis is an Enforcement Priority
The Office for Civil Rights (OCR), which enforces HIPAA, emphasizes over and over that the number one priority for all organizations complying with HIPAA is the Risk Analysis. No matter what triggers an investigation initially, whether it’s a complaint or a breach, Risk Analysis becomes the focus, and if an organization has not completed one the investigation is more difficult to defend and more expensive to settle. Both covered entities and business associates are required to perform Risk Analysis.
Risk Analysis is the Best Way to Manage Cybersecurity Threats.
Last week the FBI, the NSA and the Cybersecurity and Infrastructure Security Agency (CISA) issued a new advisory warning of threats to critical infrastructure (which includes healthcare) coming from Russian state-sponsored attackers. This is only the latest of similar warnings published in the last several years. The sad reality is that we all need to do more, make improvements and stay vigilant.
Risk Analysis is a Series of Steps
HIPAA requires you to have Administrative, Physical and Technical Safeguards to protect the data you hold. These rules are thorough. It sounds like a lot, but it’s not complicated when broken down into steps.
A Risk Analysis does not need to be done all at once, in one day or even one week. Whether it’s the first one or a revision of an existing one, it starts with reviewing your HIPAA policies to make sure they are up-to-date and complete.
The next step is staff training to familiarize them with the policies they need to know about depending on their job responsibilities. After that, there should be an inventory of all the locations of protected health information (PHI), electronic and non-electronic, and a review of the vulnerabilities and threats to PHI security.
A security risk assessment is part of a full Risk Analysis, covering all the requirements of the HIPAA Security Rule.
All of these steps take time – days, even weeks, to perform thoroughly. Every question that’s answered and every job that’s assigned needs to be documented so you can prove your work. You need to be able to show OCR (or a judge or State Attorney General) what you did and when, to prove you are taking HIPAA seriously and taking care with the privacy and security of patient data.
Risk Analysis is a Team Effort
Risk Analysis is a shared responsibility. One person, often a compliance officer, can take the lead but human resources and IT are essential partners. Sometimes the IT department is in the lead because of the magnitude of data maintained electronically, and their expertise is so critical. Senior management is also part of the team, to support the compliance work throughout the organization. A CEO or owner can delegate the tasks of HIPAA compliance but they cannot delegate the responsibility.
There is not one cookie cutter method to accomplishing a Risk Analysis, and every organization can do it their own way, but all the questions are the same and the goal is the same.
Answers to the questions will be unique to the organization and the answers will create the Risk Management plan. The goal is not to get an “A”. Instead you want to uncover your own real risks so you can eliminate or reduce them.
Some of the key questions are:
- What staff needs training? (Even if they’ve had training, provide refresher classes, and be sure to include cybersecurity awareness.)
- Do we know which of our third party vendors are business associates? Do we have business associate agreements with each of them?
- Do we have encryption and authentication procedures, logoff procedures, password protections and access controls?
- Are we doing data backups offsite on a daily basis?
- Do we have current anti-virus and anti-malware programs in place?
- Are our software patches up-to-date, and are all software updates current?
- Do we have a contingency plan?
There are many more questions, and the answers will take time. The solutions will take time, and should be assigned to those best able to handle them, depending on their job responsibilities.
As the staff becomes more aware of HIPAA and data security in general, they can become your strongest defense against threat actors who still rely on phishing and other social engineering tricks to break in through email. A culture of compliance and a culture of defense is made up of people who care and who have the knowledge to help you.
Risk Analysis – Risk Management Provides Peace of Mind
Once the Risk Analysis is finished and documented, the Risk Management plan kicks into gear. Those assigned tasks to ensure policies are current, or access procedures are adequate, and software is protected (and all the other follow-ups) are helping shore up a full defense. The compliance officer who began the process should check back in with everyone periodically to ensure they complete their tasks. The Risk Management team effort continues 365 days a year.
Mark your calendar for next January to review and complete a new Risk Analysis so you can keep up with any organizational and information system changes that happened during the year. New staff? New equipment? New locations? If you did a good job documenting everything the first year, a revision will be much easier to do, and your peace of mind can continue into 2023.