Data security risk assessments are a requirement for all organizations covered under the Health Insurance Portability and Accountability Act, as well as those working to achieve meaningful use compliance. While many hospitals are clear on their regulatory obligations, few may understand how to effectively implement an assessment and act on results to reduce the overall risk.
Here, Danny Creedon, managing director at Kroll Advisory Solutions, a provider of risk mitigation and response, gives seven steps for conducting effective risk assessments that can keep hospitals within compliance as well as informed about what might be lacking in their data security plans.
1. Cast a wide net when preparing your team. To get the most comprehensive risk assessment possible, hospitals should ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas — from IT and operations to human resources, compliance and legal to other key supervisors or managers.
"If one person is charged with completing the risk assessment you get suboptimal answers because [he or she is] not an expert in every area of the assessment. Being able to bring in multiple stakeholders and have different people complete different parts [of the risk assessment] makes it much more accurate and valuable in terms of the output," says Mr. Creedon. "Also, if the stakeholders and technical experts have been part of completing the risk assessment, there is more buy-in and the value of the assessment increases," he adds.
Once the key stakeholders are identified, protocols for tasks, timelines and communication among the team should be established to make sure the risk assessment process runs smoothly. "You often get an optimal solution from having multiple people input into a risk assessment. However, it can be like herding cats. Everyone does not assess the same level of priority to the task. Developing protocols helps assign sections and tasks to individuals, moving through an assessment quickly to receive the output that will drive remediation," says Mr. Creedon.
2. Fully scope the risk assessment. Regardless of the hospital's compliance requirements, Mr. Creedon recommends that leaders make sure the scope of the risk assessment is clearly defined, and that the team understands and recognizes the scope. By scoping, Mr. Creedon means laying out segments of the risk assessment that the hospital needs to be focus on in order to be compliant with the HIPAA Security Rule. The HIPAA Security Rule requires "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity."
3. Take stock of your data. One of the key components of any assessment is determining how personal health information and electronic personal health information are received, stored, transmitted, accessed or disclosed. According to Mr. Creedon, once a hospital has fully scoped its assessment, it can begin gathering the relevant data — a good place to start might be reviewing past or existing projects, performing interviews, reviewing documentation or using standard data-gathering techniques, if applicable.
"Taking stock of data also involves creating classifications of data, such as public, confidential, highly confidential and even highly secretive data. The second portion is identifying the true data owner who will have the ability to understand that data down to an element level. What is the appropriate handling of the data given its sensitivity? Then, the hospital can develop security routines that fit the data and its uses," says Mr. Creedon.
4. Address anticipated or known vulnerabilities. According to Mr. Creedon, it is likely that a hospital has identified potential vulnerabilities and addressed the likelihood it would be exploited by a potential threat source, because the HIPAA Security Rule requires hospitals to take probability of potential risks into account. However, risk assessments can introduce unanticipated or unknown vulnerabilities. When a hospital takes the vulnerabilities it identified into consideration, along with the results of the assessment, it will assist the hospital in identifying "reasonably anticipated" threats it will be required to address under HIPAA, says Mr. Creedon.
In order to address technical vulnerabilities, Mr. Creedon recommends that hospitals use vulnerability management tools that will recognize and notify hospital staff of a vulnerability "Managing [technical vulnerabilities] is really difficult in a large, complex environment. A tool can look for vulnerabilities more efficiently than people," says Mr. Creedon.
5. Document, document, document. The importance of proper documentation cannot be stressed enough, says Mr. Creedon. HHS will require analysis in writing, and the material a hospital gathers throughout the risk assessment will meet that requirement, along with documentation of the corrective actions taken to remediate any problems uncovered by the assessment.
"One of the benefits of a risk assessment is it provides tremendous evidence of due diligence. It enables hospitals who perform it to demonstrate they were actively trying to manage information security and their compliance with HIPAA regulations," says Mr. Creedon. "The risk self assessment is a powerful document for not only driving change going forward but in event of a regulatory review or litigation oversight, it is proof of the hospital's effort to be compliant."
6. Be prepared for follow-up after the risk assessment is completed. "This is critical, particularly for those attesting to meaningful use; a risk assessment isn't enough. A hospital must be willing to implement security updates as necessary and correct identified security deficiencies as part of its risk management process," says Mr. Creedon. Failure to address identified security gaps and vulnerabilities puts the organization at risk and subject to corrective action.
7. Regularly check progress. HHS recommends performing risk assessments periodically, particularly after a change in technology or business operations at the hospital is implemented, which could adversely affect the security of PHI or EPHI. According to Mr. Creedon, conducting regular risk assessments could potentially stave off vulnerabilities and incidents that could ultimately lead to a data breach, making it a best practice for any organization looking to manage risk. However, the frequency of progress checks and repeat self assessments depends on the maturity of the hospital's HIPAA compliance, says Mr. Creedon.
"If a hospital has been actively developing a process over the last five years, its remediation efforts are down to 25 tasks and the change control processes are strong, it may not need to run a full risk assessment on an annual basis," says Mr. Creedon. "If the hospital is not as mature, the healthcare risk assessment can be a good tool for measuring success in compliance growth over time. Run a risk assessment, remediate and run the assessment again."
While a risk assessment and the above seven steps can help hospitals to effectively reduce vulnerabilities and meet HIPAA compliance, hospital leaders must be completely honest during assessments.
"The underlying structure that is required is complete honesty when answering the questions. Since some tools, like Kroll Advisory Solutions' HIPAA Self Risk Assessment, allow hospitals to grade themselves, if they give all A's when they are D's, they are selling themselves short. If you grade yourself as wonderful and things aren't so wonderful, you are just covering up a potential disaster," says Mr. Creedon.
HIPAA/HITECH Risk Assessments: Are the Standards Being Met?
Risk Assessments – What's the Big Deal? Your Responsibilities If You Adopt Electronic Health Records
Here, Danny Creedon, managing director at Kroll Advisory Solutions, a provider of risk mitigation and response, gives seven steps for conducting effective risk assessments that can keep hospitals within compliance as well as informed about what might be lacking in their data security plans.
1. Cast a wide net when preparing your team. To get the most comprehensive risk assessment possible, hospitals should ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas — from IT and operations to human resources, compliance and legal to other key supervisors or managers.
"If one person is charged with completing the risk assessment you get suboptimal answers because [he or she is] not an expert in every area of the assessment. Being able to bring in multiple stakeholders and have different people complete different parts [of the risk assessment] makes it much more accurate and valuable in terms of the output," says Mr. Creedon. "Also, if the stakeholders and technical experts have been part of completing the risk assessment, there is more buy-in and the value of the assessment increases," he adds.
Once the key stakeholders are identified, protocols for tasks, timelines and communication among the team should be established to make sure the risk assessment process runs smoothly. "You often get an optimal solution from having multiple people input into a risk assessment. However, it can be like herding cats. Everyone does not assess the same level of priority to the task. Developing protocols helps assign sections and tasks to individuals, moving through an assessment quickly to receive the output that will drive remediation," says Mr. Creedon.
2. Fully scope the risk assessment. Regardless of the hospital's compliance requirements, Mr. Creedon recommends that leaders make sure the scope of the risk assessment is clearly defined, and that the team understands and recognizes the scope. By scoping, Mr. Creedon means laying out segments of the risk assessment that the hospital needs to be focus on in order to be compliant with the HIPAA Security Rule. The HIPAA Security Rule requires "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity."
3. Take stock of your data. One of the key components of any assessment is determining how personal health information and electronic personal health information are received, stored, transmitted, accessed or disclosed. According to Mr. Creedon, once a hospital has fully scoped its assessment, it can begin gathering the relevant data — a good place to start might be reviewing past or existing projects, performing interviews, reviewing documentation or using standard data-gathering techniques, if applicable.
"Taking stock of data also involves creating classifications of data, such as public, confidential, highly confidential and even highly secretive data. The second portion is identifying the true data owner who will have the ability to understand that data down to an element level. What is the appropriate handling of the data given its sensitivity? Then, the hospital can develop security routines that fit the data and its uses," says Mr. Creedon.
4. Address anticipated or known vulnerabilities. According to Mr. Creedon, it is likely that a hospital has identified potential vulnerabilities and addressed the likelihood it would be exploited by a potential threat source, because the HIPAA Security Rule requires hospitals to take probability of potential risks into account. However, risk assessments can introduce unanticipated or unknown vulnerabilities. When a hospital takes the vulnerabilities it identified into consideration, along with the results of the assessment, it will assist the hospital in identifying "reasonably anticipated" threats it will be required to address under HIPAA, says Mr. Creedon.
In order to address technical vulnerabilities, Mr. Creedon recommends that hospitals use vulnerability management tools that will recognize and notify hospital staff of a vulnerability "Managing [technical vulnerabilities] is really difficult in a large, complex environment. A tool can look for vulnerabilities more efficiently than people," says Mr. Creedon.
5. Document, document, document. The importance of proper documentation cannot be stressed enough, says Mr. Creedon. HHS will require analysis in writing, and the material a hospital gathers throughout the risk assessment will meet that requirement, along with documentation of the corrective actions taken to remediate any problems uncovered by the assessment.
"One of the benefits of a risk assessment is it provides tremendous evidence of due diligence. It enables hospitals who perform it to demonstrate they were actively trying to manage information security and their compliance with HIPAA regulations," says Mr. Creedon. "The risk self assessment is a powerful document for not only driving change going forward but in event of a regulatory review or litigation oversight, it is proof of the hospital's effort to be compliant."
6. Be prepared for follow-up after the risk assessment is completed. "This is critical, particularly for those attesting to meaningful use; a risk assessment isn't enough. A hospital must be willing to implement security updates as necessary and correct identified security deficiencies as part of its risk management process," says Mr. Creedon. Failure to address identified security gaps and vulnerabilities puts the organization at risk and subject to corrective action.
7. Regularly check progress. HHS recommends performing risk assessments periodically, particularly after a change in technology or business operations at the hospital is implemented, which could adversely affect the security of PHI or EPHI. According to Mr. Creedon, conducting regular risk assessments could potentially stave off vulnerabilities and incidents that could ultimately lead to a data breach, making it a best practice for any organization looking to manage risk. However, the frequency of progress checks and repeat self assessments depends on the maturity of the hospital's HIPAA compliance, says Mr. Creedon.
"If a hospital has been actively developing a process over the last five years, its remediation efforts are down to 25 tasks and the change control processes are strong, it may not need to run a full risk assessment on an annual basis," says Mr. Creedon. "If the hospital is not as mature, the healthcare risk assessment can be a good tool for measuring success in compliance growth over time. Run a risk assessment, remediate and run the assessment again."
While a risk assessment and the above seven steps can help hospitals to effectively reduce vulnerabilities and meet HIPAA compliance, hospital leaders must be completely honest during assessments.
"The underlying structure that is required is complete honesty when answering the questions. Since some tools, like Kroll Advisory Solutions' HIPAA Self Risk Assessment, allow hospitals to grade themselves, if they give all A's when they are D's, they are selling themselves short. If you grade yourself as wonderful and things aren't so wonderful, you are just covering up a potential disaster," says Mr. Creedon.
More Articles on HIPAA Risk Assessments:
9 Ways Hospitals Should Prepare for HIPAA AuditsHIPAA/HITECH Risk Assessments: Are the Standards Being Met?
Risk Assessments – What's the Big Deal? Your Responsibilities If You Adopt Electronic Health Records