[BreachExchange] A HIPAA Security Rule Risk Assessment Checklist For 2018

[Audrey McNeil]

https://www.intelligenthq.com/resources/hipaa-security-rule-
risk-assessment-checklist-2018/

HIPAA is the acronym of Health Insurance Portability and Accountability Act
of 1996. The HIPPA Security Rule main focus is on storage of electronic
Protected Health Information. As a healthcare provider, covered entity
and/o business associate you are required to undergo an audit to prove your
regulatory compliance so as to assure your new customers of their security.
Your first step to HIPAA compliance is security risk assessment and
mitigation controls.

Who is a health provider?

According to HIPAA any person or organization that engages in or practicing
medicine and help in treating sick people is a health provider. For
example, a doctor of medicine who is authorized to practice medicine or
surgery by the state in which he or she operates in, or any person who is
determined by the Secretary to be capable of providing health care services.

According to HIPAA, health plans, healthcare clearinghouses and any
healthcare provider who transmits health information electronically is a
covered entity.

Business associate refers to any person or entity that involves use of or
disclosure of protected health information on behalf of a covered entity.
It simply means any person who sees any information as that refers to a
patient must be compliant with HIPAA.

Requirements for Compliance with HIPAA.

For you to ensure you are compliant with HIPAA, you are required to undergo
a risk assessment this will help in identifying and determining your
vulnerability locations. You undertake this risk assessment through the
Security Risk Tool that was created by the National Coordinator for Health
Information Technology. You are required to undertake a 156 questions
assessment that will help you to identify your most significant risks.

The security tool categorizes these questions into three classes namely

1. Administrative safeguards
2. Technical safeguards
3. Physical safeguards

Administrative safeguards requirements

Administrative safeguards requirement requires you to develop, document and
implement policies and procedures to assess and manage ePHI risk.

You are initially supposed to consider the following questions to develop
appropriate safeguards;

Risk Assessment :

- You are supposed to create an inventory of all information systems,
electronic devices and mobile media.
- You should identify threats, vulnerabilities in technology processes,
workforce and vendors to determine the possibility of data breach and
estimate the potential harm.
- You are required to develop and implement a risk assessment policy that
identifies essential activities addressing purpose, scope, roles,
responsibilities, management commitment, organizational coordination,
compliance and facilitation procedures that outlines risk assessment
controls.
- You should share documented risk assessment policy with workforce members
responsible for mitigating threats and vulnerabilities.
- You should review unauthorized and inappropriate access to ePHI that can
comprise data confidentiality, integrity, and availability and potential
unauthorized disclosure, loss and theft.

Security Plan and Policy :

- You are required to create a security plan with a continuity plan,
emergency access plan, disaster recovery plan and vendor management plan.
- You are to develop, document and share with workforce members a security
planning policy and training that addresses purpose, scope, roles,
responsibilities, management commitment, organizational coordination,
compliance and procedures that outlines security implementation and
controls associated with it.
- You are to create appropriate sanctions for individuals who do not comply
with information security policies and documentation of sanctions executed.
- You are to create audit, system monitoring procedures to ensure no
inappropriate access to information.
- You should establish periodical review and documentation and update if
affected by operational and environmental changes.
- You are supposed to establish senior-level executive security official to
develop and implement policies and procedures to protect against business
associate and covered entity risk.
- You are supposed to ensure the one responsible for security is educated
and experienced in system review capabilities, vulnerabilities and
mitigation practices to support management security purchases.

In use authorization duties you are supposed to ensure the following :

- Workforce and service provider roles and duties are defined to access
ePHI in a way
- Workforce member has access to control policy that defines the purpose,
scope, roles, responsibilities, management commitment, coordination
expectations and compliance requirements.
- Minimum access principles to ePHI.
- Only role-based access based on job description and responsibilities
- Develop restriction processes that restrict access to ePHI containing
media digital and non-digital.
- Supervision of locations of ePHI and workforce members who can access it.
- You create a procedure that allows IT department to create, enable,
disable and remove accounts based on user groups and account privileges for
user accounts.
- You should have a list of authorized personnel that identifies their
access level to facilities, information systems that contain ePHI.
- You have established processes that monitor security roles and
responsibilities of third-party providers with access to ePHI.
- You have established role-based screening criteria and risk designations
document
- Should establish screening policies for individuals before granting
access.
- You should develop and implement access termination policies for your
workforce members.
- You should have procedures for retrieving all security-related
information system related property upon workforce member access need
changes.
- You should review current, ongoing and physical access authorizations


In security awareness policy you are required to ensure the following :

- You should develop, document and share with the workforce members’
security awareness policy and training that addresses purpose, scope,
roles, responsibilities, management commitment, organizational
coordination, compliance and procedure to ensure they understand security
awareness.
- You should periodically review the awareness training to ensure it aligns
with the current systems and threats.
- You should ensure the workforce members are trained and updated in an
event of role change or in response to system changes.
- You are to ensure the security awareness covers cyber-attack,
unauthorized access and or opening malicious email attachments that teach
them about spear phishing attacks.
- All training materials for the workforce and associated members should be
retained.
- Ensure you are always monitoring information systems for possible
attacks, unauthorized connections.
- You should monitor physical information system to detect any possible
security incidents.
- Always ensure you share security information with your workforce members.
- You should develop procedures for guarding against detecting and
reporting malicious software.
- You should develop automated mechanisms and tools that help track
security incidents and periodically collect and analyze information.
- You should establish authorization policies and procedures that outline
password requirements, protection, changes, privacy requirement and
safeguarding.

Having done all that, you are required to develop an incident response plan
in an event it occurs. Your incident response plan should ensure you do the
following;

- Have an established training that aligns with workforce member role and
responsibilities.
- Have established mechanisms to identify and respond to suspected or known
security incident to include both mitigation and documentation requirement
steps.
- You should share the incident policy with your workforce members.
- You should provide incident response training to information system users
consistent with response policy.

In contingency plan ensure the following :

- You have developed a contingency planning policy
- Ensure that the policy incorporates the variety of emergencies such as
fire, vandalism natural disaster to name but a few.
- You should ensure you have system restoration procedure.
- You are regularly updating your contingency policy.
- Always ensure you have a backup for your system where you can retrieve
exact copies of ePHI.
- Always test continuity and emergency operations

Having done all that, you are supposed to develop a third-party monitoring
policy that entails the following :

- One that establish, review, document and modify third-party access.
- One that assures covered entities that their information is safeguarded.
- Always you document all third-party assurances through written contracts
- Always you ensure you review contracts to ensure they align to ePHI
disclosure procedures.
- Ensure you have a running third-party monitoring process that reviews
security roles and responsibilities

Having done all that you have to finally develop an Information Retention
Policy that will address the following issues :

- You have to ensure you retain the information as required by federal
laws, executive orders, directives, policies, regulations, standards and
operational requirements.
- You should ensure you retain the full lifecycle to include but not
limited to disposal of information systems
- You should have records retention for six years maximum from the creation
date.
- You should provide an audit reduction and report generation capability.
- Ensure all your role-based authorization records are retained.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180621/d3889538/attachment.html>