If your organization handles protected health information, or PHI, The Department of Health and Human Services requires you to conduct a risk analysis as the first step toward implementing safeguards specified in the HIPAA Security Rule, and ultimately achieving HIPAA compliance.
This includes all HIPAA hosting providers.
But what does a risk analysis entail exactly? And what must absolutely be included in your report?
Conducting a thorough HIPAA risk assessment is extremely difficult to do yourself, though. You may well want to contract with a HIPAA auditor to help you.
Most people simply dont know where to look, or they end up bypassing things because they dont understand data security.
If the risk analysis is foundational to your security, then you dont want to overlook key elements in the analysis.
There are nine components that healthcare organizations and healthcare-related organizations that store or transmit electronic protected health information must include in their document:
To identify your scope in other words, the areas of your organization you need to secure you have to understand how patient data flows within your organization.
This includes all electronic media your organization uses to create, receive, maintain or transmit ePHI portable media, desktops and networks.
There are four main parts to consider when defining your scope.Where PHI starts or enters your environment. What happens to it once its in your system. Where PHI leaves your entity. Where the potential or existing leaks are.
Below is a list of places to get you started in the documentation of where PHI enters your environment.Email: How many computers do you use, and who can log on to each of them? Texts: How many mobile devices are there, and who owns them? EHR entries: How many staff members are entering in data? Faxes: How many fax machines do you have? USPS: How is incoming mail handled? New patient papers: How many papers are patients required to fill out? Do they do this at the front desk? Examination room? Somewhere else? Business associate communications: How do business associates communicate with you? Databases: Do you receive marketing databases of potential patients to contact?
Its not enough to know only where PHI begins. You also need to know where it goes once it enters your environment.
To fully understand what happens to PHI in your environment, you have to record all hardware, software, devices, systems, and data storage locations that touch PHI in any way.
And then what happens when PHI leaves your hands? It is your job to ensure that it is transmitted or destroyed in the most secure way possible.
Once you know all the places where PHI is housed, transmitted, and stored, youll be better able to safeguard those vulnerable places.
Once you know what happens during the PHI lifecycle, its time to look for the gaps. These gaps create an environment for unsecured PHI to leak in or outside your environment.
The best way to find all possible leaks is to create a PHI flow diagram that documents all the information you found above and lays it out in a graphical format.
Looking at a diagram makes it easier to understand PHI trails and to identify and document anticipated vulnerabilities and threats.
A vulnerability is a flaw in components, procedures, design, implementation, or internal controls. Vulnerabilities can be fixed.
Some examples of vulnerabilities:Website coded incorrectly No office security policies Computer screens in view of public patient waiting areas
A threat is the potential for a person or thing to trigger a vulnerability. Most threats remain out of your control to change, but they must be identified in order to assess the risk.
Some examples of threats:Geological threats, such as landslides, earthquakes, and floods Hackers downloading malware onto a system Actions of workforce members or business associates
Again, even if youre above-average in terms of compliance, you may only have a minimal understanding of vulnerabilities and threats. Its crucial to ask a professional for help with your HIPAA risk assessment.
Ask yourself what kind of security measures youre taking to protect your data.
From a technical perspective, this might include any encryption, two-factor authentication, and other security methods put in place by your HIPAA hosting provider.
Since you now understand how PHI flows in your organization, and can better understand your scope. With that understanding, you can identify the vulnerabilities, the likelihood of threat occurrence and the risk.
Just because there is a threat doesnt mean it will have an impact on you.
For example, an organization in Florida and an organization in New York technically could both be hit by a hurricane. However, the likelihood of a hurricane hitting Florida is a lot higher than New York. So, the Florida-based organizations tornado risk level will be a lot higher than the New York-based organization.
What effect would a particular risk you are analyzing have on your organization?
For example, while a patient in the waiting room might accidentally see PHI on a computer screen, it more than likely wont have nearly the impact that a hacker attacking your unsecured Wi-Fi and stealing all your patient data would.
By using either qualitative or quantitative methods, you will need to assess the maximum impact of a data threat to your organization.
Risks are the probability that a particular threat will exercise a particular vulnerabilit and the resulting impact on your organization.
According to the HHS, risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.
So lets break down the whole vulnerability, threat and risk connection. Heres an example:
Lets say that your system allows weak passwords. The vulnerability is the fact that a weak password is vulnerable to attack. The threat then is that a hacker could easily crack that weak password and break into the system. The risk would be the unprotected PHI in your system.
All risks should be assigned a level and accompanied by a list of corrective actions that would be performed to mitigate risk.
Armed with the prioritized list of all your security problems, its time to start mitigating them. Starting with the top-ranked risks first, identify the security measure that fixes those issues.
Write everything up in an organized document. There is no specific format required, but the HHS does require the analysis in writing.
Technically, once youve documented all the steps youll take, youre done with the risk analysis.
Its important to remember that the risk analysis process is never truly done since its ongoing.
One requirement includes conducting a risk analysis on a regular basis. And while the Security Rule doesnt set a required timeline, youll want to conduct another risk analysis whenever your company implements or plans to adopt new technology or business operations.
The bottom line is a risk analysis is foundational to your security. You simply cant be HIPAA compliant without one. If you have any tips youd like to share, were all ears.
In the rap game, business is a booming. But the MCs making new waves in the hip-hop scene arent what you might expect. Female rappers are taking the game to new levels the most notable being Lil Waynes protege, Nicki Minaj. But shes not alone, not even close.Minaj may be leading the charts, but shes standing next to other ladies of note, like the Sri Lankan....read more
Youve probably never thought of it this way, but your roof is to your home what a 300-pound football guard is to his teams quarterback: the first line of defense against elements in this case, the harsh winter weather that would pummel it mercilessly if otherwise left unchecked. Just like football players look for holes in their competitors defense....read more
Their bodies may be smaller, but that doesnt mean they can skimp on drinking water. In fact, its more important than ever, experts say, to make sure children are properly hydrated. The standard recommendations are for children to get six to eight glasses of water per day, says Dr. Melina Jampolis, CNNHealths Diet and Fitness expert. Mild dehydration can....read more
Looking for the perfect gift? Want to make your loved one smile and bring joy into their life? If so, go shopping ahead of time! The holiday season is around the corner. Fortunately, its not too late to find a great gift. From books and clothing items to jewelry, there are plenty of smart gift ideas available. In 2013, 63 percent of....read more
With over 80 million moms to shop for, Mothers Day is second only to Christmas when it comes to gift giving. So, besides giving a bouquet of flowers and box of chocolates this year, try getting mom the trending gifts and tech gadgets shell love. If youre struggling to find the perfect gift for Mothers Day, Brett Larson, Emmy Award-winning technology and....read more
Many people make New Years resolutions to improve their health, such as snuffing a smoking habit, joining a gym or scheduling a checkup. But they rarely think about health insurance. In 2013, you may want to preserve your financial health by making an insurance checkup one of your resolutions. Make certain you have the right type of coverage, because....read more