hipaa security risk analysis for hospitals - a 10-slide introduction
DESCRIPTION
Conducting a HIPAA Security Risk Analysis has long been a requirement for covered entities under HIPAA. But today, the increased regulations and stricter enforcement under HIPAA (mandated by the HITECH Act) make it a necessity. In addition, the ongoing financial incentives available through the CMS' Meaningful Use EHR Incentive Program, should further encourage hospitals to make annual HIPAA Security Risk Analysis projects an integral part of their information security and risk management programs.TRANSCRIPT
04/10/2023www.redspin.com
1
A 10-SLIDE INTRODUCTION
HIPAA Security Risk AnalysisEligible Hospitals/Critical Access Hospitals
1-800-721-9177
04/10/2023www.redspin.com
2
Why Conduct a HIPAA Security Risk Analysis?
Increased Compliance Regulations and Stricter Enforcement
Greater Risk of Breach of Protected Health Information (PHI)
More Potential for Damages
1-800-721-9177
04/10/2023www.redspin.com
3
Why Conduct a HIPAA Security Risk Analysis?
Increased Compliance Regulations and Stricter Enforcement
Mandatory requirement under HIPAA Security Rule
Core requirement of EHR Meaningful Use Incentive Program (both Stage 1 and Stage 2)
Ongoing Federal audit programs – OCR’s HIPAA Privacy and Security Audits and CMS’ Meaningful Use Audits
State Attorneys General empowered to enforce HIPAA
1-800-721-9177
04/10/2023www.redspin.com
4
Greater Risk of Breach of Protected Health Information (PHI)
Implementation of electronic health records has increased the likelihood of PHI data breach significantly
619 large breaches affecting ~22 million patient records over past 3 ½ years
Explosion in mobile device use (smartphones, tablets) and BYOD increases risk of loss, theft, and unauthorized access
Business Associates handling more electronic PHI
Why Conduct a HIPAA Security Risk Analysis?
1-800-721-9177
04/10/2023www.redspin.com
5
More Potential for Damages
HIPAA-covered entities required to report and make public any PHI breach involving > 500 records
The costs of a PHI breach have increased dramatically (civil penalties, reparations, remediation, brand damage, legal fees and punitive damages)
Why Conduct a HIPAA Security Risk Analysis?
1-800-721-9177
04/10/2023www.redspin.com
6
What is a HIPAA Security Risk Analysis?
Purpose of a risk analysis is to identify: Threats to the organization Vulnerabilities internal and external to the organization Consequences, impact, and harm to organizations that may
occur given the potential for threats exploiting vulnerabilities Likelihood that harm will occur
1-800-721-9177
04/10/2023www.redspin.com
7
What is a HIPAA Security Risk Analysis?
Scope of a risk analysis can include: HIPAA gap analysis (policies, procedures, controls) Network infrastructure security testing (vulnerability
assessment) EHR and application risk assessment Mobile device security (organization-issued and BYOD) Business associate compliance review Employee security awareness
1-800-721-9177
04/10/2023www.redspin.com
8
HIPAA Security Risk Analysis – References
HIPAA Security Rule §164.308(a)(1)(ii)(A) Risk analysis (Required)
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health information held by the covered entity or business
associate.”
1-800-721-9177
04/10/2023www.redspin.com
9
HIPAA Security Risk Analysis – References
Meaningful Use Stage 1“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
1-800-721-9177
04/10/2023www.redspin.com
10
HIPAA Security Risk Analysis – References
Meaningful Use Stage 2“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
1-800-721-9177