A Conversation with IT Direct About the HIPAA Risk Analysis

One of the most common areas of enforcement under HIPAA involves a failure to perform an accurate and thorough risk analysis.  Historically, enforcement for this failure has been more expensive than all other failures, often resulting in six or seven-figure settlements or penalties.  And, so far, that trend is continuing in 2020.  In addition, the failure to properly assess systems also increases the risk of a cyber-attack.  Despite the known enforcement history and growing frequency of cybersecurity incidents, lack of compliance with the risk analysis requirement is very common. 

To comply with the risk analysis requirement, all systems that touch electronic protected health information (PHI) must be assessed for risks or vulnerabilities.  To do this, it is best to involve an IT professional with experience performing risk assessments for compliance purposes.    

Sammy De La O, the Director of Quality and Compliance at IT Direct, has extensive experience performing the types of risk and gap assessments required by law in the manufacturing, healthcare, life science and finance industries.  I sat down with Sammy to get his perspective on performing a risk analysis and addressing the results. 

Sammy and I will be talking in-depth on this topic during our webinar on Wednesday, October 21, 2020.  Register for this free webinar here

Q [Dena]:  HIPAA requires that all covered entities and business associates conduct a risk analysis, but there is often a lack of understanding of what a risk analysis entails.  Can you explain?

A [Sammy]:    A risk analysis is an exploration of all systems that encounter electronic protected health information and related policies to determine how safe that information is within that electronic system.  These types of reviews are critical not only to identify risks and vulnerabilities, but also to develop a program to minimize or eliminate those identified risks or vulnerabilities.

An effective and consistent risk assessment program (including policies) is key to maintaining a healthy and secure HIPAA compliance practice. It’s like getting a physical at your doctor. Imagine if you only did it once in your life. That visit would be important, but as you grow, and your lifestyle changes different risks will come up. Getting a physical yearly will help identify any issues and help address them in a timely fashion.

The healthcare and IT landscapes are constantly changing. In order to stay ahead of new cybersecurity threats, having a living, continuous improvement process for assessing our environments will help us manage risks and vulnerabilities effectively.

Q:  Do cloud-based electronic health record systems maintained by the vendor need to be included in the risk analysis?  If so, how?

A:  Definitely!  Part of creating a risk assessment program is to identify critical systems that manage PHI data. EHR systems, whether it’s on-premise or in the cloud, will need to be part of the assessment process.

With cloud solutions, there are additional risks that come along with the technical benefits. Your policy library should include a Vendor Assessment Procedure that helps to vet vendors with access to ePHI to ensure that those vendors have implemented their own security policies and understand their obligations under the HIPAA Security Rule. 

Q:  What should a risk analysis look like?  Is there a standard format or a format you recommend?

A:   There is no required format.  The most common and effective process for risk assessment is to measure your compliance controls and the associated policies against a risk matrix that identifies the level of risk by likelihood and consequence severity. This is sometimes called an impact analysis.

This process should help you to identify two things: (1) What is the current state of your environment? (For example, what network technology are we using for access, such as remote access?  Where are we keeping ePHI data, and how are we keeping it secure?); and (2) What are the current risks to the controls managing the environments? (For example, are we using a method of remote access that is secure and encrypts our access to ePHI data?  Do we have proper access controls to limit access, but still make ePHI data available?).

From there, you will be able to identify if there are any risk that are based on: (i) end-user risks and/or failure to follow policies; (ii) technical risks, such as aging technology or equipment, cyber security threats, and/or changes to the environment; or (iii) business/workflow risks, such as changes to the business or compliance requirements.

Q:  So, once the risk analysis is completed, then what?

A:   Upon going through the risk assessment exercise, you will have a list of findings and, if using an outside vendor, you will have findings and recommendations in the form of a report. These need to be categorized in order to prioritize the remediation efforts.

Major findings are critical risks or vulnerabilities that need to be addressed right away.  Minor findings are less critical risks that either can be addressed with planning or are dependent on or fixed through other efforts.  Informational findings are good for additional follow-ups, but the impact and/or likelihood of the risk are low.

For the major findings, there is little flexibility in the timing on addressing the identified issues.  On the other hand, for the minor or informational findings, your team can develop a timeline and approach to address those issues that is reasonable under the circumstances.

If using an outside vendor to perform the risk analysis, you should ask to see a draft version of the report before a final report is created.  This will give you and your team an opportunity to assess the recommendations and push back on recommendations that are not reasonable.  It is important that you agree with the final findings and recommendations. 

Q:  We know that the regulations do not require healthcare providers to implement the most advanced data protection systems available.  In fact, the regulations are clear that only reasonable measures are required, and that reasonableness can depend on a provider’s size and available resources.  Understanding this concept, how do providers determine what technologies are reasonable to implement versus those that may be too advanced or expensive to be reasonable?

A:    Every practice and environment is different. This is the beauty of how the HIPAA controls are written. It gives us the ability to find the solutions that will work best considering the size of the practice, complexity of its systems, and the budget.  

In order to determine the most efficient and effective solutions, we need to know how our environment and technology measures up against the HIPAA controls. Performing a gap assessment will help to identify the areas where compliance is good and areas where there are gaps.  It also helps to find the best way to be in alignment with the controls.

Q:  We know that entities can perform their own risk analysis internally.  What are your thoughts on performing a risk analysis internally as opposed to hiring an outside entity?

A:  The most important thing is to perform a comprehensive risk analysis. There are benefits to the DIY approach, but there are also benefits to getting outside help.

Keeping the process in-house helps leverage the knowledge that you already have with your team and will avoid the cost of engaging a vendor.  It will be important to have an internal resource that has knowledge of the HIPAA rules, and understands the practical application of those rules to current technology.

If keeping the analysis in-house, there are many helpful resources , such as the OCR Security Risk analysis tool.  OCR recently updated the tool.  It walks you through the analysis process and helps to create the documentation necessary for compliance.  Importantly, the tool does not share information with OCR.

Having an outside vendor assist has benefits. The most notable benefit is the objective review.  In the same way that it is difficult to pick up typos when proofreading your own work, it is more challenging to objectively assess the security of a system that you either built or maintain.  An outside vendor can also offer additional perspectives on new technologies or approaches to risk mitigation measures.  The key will be to find a vendor that has both relevant technology and compliance experience.  Other notable benefits to using an outside vendor are to avoid burdening a likely already over-tasked internal team and to receive results more expeditiously that if handled in-house.    

I would recommend using a hybrid approach to meet the risk analysis requirement.  Have an outside vendor perform the initial, comprehensive analysis and then perform annual updates internally.  Finally, consider bringing an outside vendor in every three or four years (or when there are major system changes) to perform another comprehensive analysis.     

Q:  If a healthcare organization decides to engage a vendor to do a risk analysis, what should they be looking for in a vendor?

A:    First, talk to folks in your networks to find recommended vendors based on the experience of others.  The key would be finding a balance of relevant technology and compliance experience.

A proper engagement includes a review of policies and procedures attached to the systems and controls, interviews with key personnel to understand the workflows and verify if policies and procedures are being followed, identify gaps that measure people, technology, or process, assign risk levels and recommend remediation efforts.

There are vendors that will offer just a scan or a penetration test of the environment.  Those activities alone will not satisfy the risk analysis requirement, although they should be part of regular system assessments.

Finally, ask the vendor to provide a sample report to see the type of information you would receive at the end of the engagement.  It’s important that you understand how the vendor will document its work, that you like the format and can easily follow the report.

Join me and Sammy De La O, of IT Direct, for a three-part webinar series on HIPAA Security and Cybersecurity on October 13, 21 and 29