[BreachExchange] 7 Steps For Comprehensive HIPAA Risk Assessment
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Dec 22 14:53:25 EST 2017
https://www.healthitoutcomes.com/doc/steps-for-comprehensive-hipaa-risk-
assessment-0001
IT risk assessment, or risk analysis, is one of the main requirements for
HIPAA compliance. According to paragraph 164.308, risk analysis is “an
accurate and thorough assessment of the potential risks and vulnerabilities
to the confidentiality, integrity, and availability of electronic protected
health information held by the covered entity.” Failure to establish proper
control over risks in the IT environment can result in not only failed
compliance audits, but devastating breaches that can lead to civil and
criminal penalties and loss of customer loyalty.
Unfortunately, numerous breach investigations and desk audits conducted by
the HHS Office for Civil Rights (OCR) show that many HIPAA-covered
organizations still struggle to effectively evaluate IT risksand respond to
security issues with proper controls and procedures. There are two main
reasons for this:
- Complexity of the process. HIPAA risk assessment is a complex and
continuous process that requires skills, knowledge and time to perform and
maintain.
- Absence of clear guidance. HIPAA lacks specific guidance on what risk
assessment should consist of, mainly because the standard applies to
multiple different types of organizations, such as hospitals and health
insurance companies. As a result, organizations have to take full
responsibility for determining what scope of risk assessment would be
comprehensive for them, without knowing whether their answer is the same as
what OCR might require.
Getting Started With HIPAA Risk Assessment
Although the HIPAA Security Rule provides no insight into what risk
assessment must include, there are several documents that can help
organizations understand HIPAA requirements better and make sure that their
risk assessment procedures are sufficient. For example, the Guidance on
Risk Analysis Requirements by HHS, which is based on the recommendations of
the NIST framework, suggests a number of measures you can take to ensure
the confidentiality, integrity and availability of sensitive data.
Based on these documents, we’ve put together seven key steps that can help
you get started with HIPAA risk assessment:
1. Identify e-PHI Within The Organization
Organizations need to understand what kind of e-PHI they store and process,
where it resides, and how is it maintained and transmitted. Keep in mind
that confidential data can spread across multiple systems and applications,
so make sure you have visibility into what’s going on throughout your
environment.
2. Be Cautious About Sharing e-PHI
Third-party contractors with legitimate access to your data can pose a
bigger threat to security than anyone else. If you share e-PHI with
partners or vendors, make sure that they are ready to meet HIPAA
requirements, and establish strict control over their activities with your
data.
3. Determine Potential Threats
You need to be aware of potential human, environmental and natural threats
to your IT systems and data in order to make better decisions about your
security posture. There are plenty of ready-to-use forms that list threats,
so find one online and use it as a starting point for creating a
comprehensive risk assessment strategy.
4. Evaluate The Likelihood And Impact Of Each Threat
Auditors will require evidence that all necessary controls are in place to
mitigate the most serious cyber risks in your environment, so you need to
evaluate the list of threats and prioritize them by likelihood and impact.
5. Make Sure Your Security Measures Are Effective And Update Them If Needed
If your security measures are not sufficient to mitigate the threats at the
top of your list, you need to pinpoint the weakest security controls in
your IT environment, adjust them and ensure that your actions actually
reduced your risk.
6. Prepare Evidence For Auditors
Auditors generally require organizations to provide evidence of compliance
for the past six years, which includes risk assessment documentation, log
data, current security policies and other information. Therefore, keep
track of everything that occurs in your IT environment, document critical
changes and be ready to present the evidence during the compliance checks.
7. Make Risk Assessment Continuous
Since culprits are constantly inventing new ways to penetrate networks, you
need to repeat the risk assessment process on a regular basis. In between
these assessments, be on the lookout for risks that emerge quickly, for
example, because a new malware variant is spreading, a new software
vulnerability is identified, or you implement new systems or technologies.
More broadly, a good strategy for passing HIPAA audits more easily is to
familiarize yourself with the NIST framework. It provides an extensive list
of IT risk assessment tasks and explains how to complete them, along with a
set of templates and examples. In addition, gaining deep visibility into
what is going on across your critical systems will help you identify and
prioritize risks faster and spend less time proving your HIPAA compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171222/90af0203/attachment.html>
More information about the BreachExchange
mailing list