By Michael Fimin, CEO and co-founder, Netwrix Corporation
IT risk assessment, or risk analysis, is one of the main requirements for HIPAA compliance. According to paragraph 164.308, risk analysis is “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Failure to establish proper control over risks in the IT environment can result in not only failed compliance audits, but devastating breaches that can lead to civil and criminal penalties and loss of customer loyalty.
Unfortunately, numerous breach investigations and desk audits conducted by the HHS Office for Civil Rights (OCR) show that many HIPAA-covered organizations still struggle to effectively evaluate IT risks and respond to security issues with proper controls and procedures. There are two main reasons for this:
- Complexity of the process. HIPAA risk assessment is a complex and continuous process that requires skills, knowledge and time to perform and maintain.
- Absence of clear guidance. HIPAA lacks specific guidance on what risk assessment should consist of, mainly because the standard applies to multiple different types of organizations, such as hospitals and health insurance companies. As a result, organizations have to take full responsibility for determining what scope of risk assessment would be comprehensive for them, without knowing whether their answer is the same as what OCR might require.
Getting Started With HIPAA Risk Assessment
Although the HIPAA Security Rule provides no insight into what risk assessment must include, there are several documents that can help organizations understand HIPAA requirements better and make sure that their risk assessment procedures are sufficient. For example, the Guidance on Risk Analysis Requirements by HHS, which is based on the recommendations of the NIST framework, suggests a number of measures you can take to ensure the confidentiality, integrity and availability of sensitive data.
Based on these documents, we’ve put together seven key steps that can help you get started with HIPAA risk assessment:
- Identify e-PHI Within The Organization
Organizations need to understand what kind of e-PHI they store and process, where it resides, and how is it maintained and transmitted. Keep in mind that confidential data can spread across multiple systems and applications, so make sure you have visibility into what’s going on throughout your environment.
- Be Cautious About Sharing e-PHI
Third-party contractors with legitimate access to your data can pose a bigger threat to security than anyone else. If you share e-PHI with partners or vendors, make sure that they are ready to meet HIPAA requirements, and establish strict control over their activities with your data.
- Determine Potential Threats
You need to be aware of potential human, environmental and natural threats to your IT systems and data in order to make better decisions about your security posture. There are plenty of ready-to-use forms that list threats, so find one online and use it as a starting point for creating a comprehensive risk assessment strategy.
- Evaluate The Likelihood And Impact Of Each Threat
Auditors will require evidence that all necessary controls are in place to mitigate the most serious cyber risks in your environment, so you need to evaluate the list of threats and prioritize them by likelihood and impact.
- Make Sure Your Security Measures Are Effective And Update Them If Needed
If your security measures are not sufficient to mitigate the threats at the top of your list, you need to pinpoint the weakest security controls in your IT environment, adjust them and ensure that your actions actually reduced your risk.
- Prepare Evidence For Auditors
Auditors generally require organizations to provide evidence of compliance for the past six years, which includes risk assessment documentation, log data, current security policies and other information. Therefore, keep track of everything that occurs in your IT environment, document critical changes and be ready to present the evidence during the compliance checks.
- Make Risk Assessment Continuous
Since culprits are constantly inventing new ways to penetrate networks, you need to repeat the risk assessment process on a regular basis. In between these assessments, be on the lookout for risks that emerge quickly, for example, because a new malware variant is spreading, a new software vulnerability is identified, or you implement new systems or technologies.
More broadly, a good strategy for passing HIPAA audits more easily is to familiarize yourself with the NIST framework. It provides an extensive list of IT risk assessment tasks and explains how to complete them, along with a set of templates and examples. In addition, gaining deep visibility into what is going on across your critical systems will help you identify and prioritize risks faster and spend less time proving your HIPAA compliance.