hipaa security risk analysis for hospitals - a 10-slide introduction

04/10/2023www.redspin.com

1

A 10-SLIDE INTRODUCTION

HIPAA Security Risk AnalysisEligible Hospitals/Critical Access Hospitals

1-800-721-9177


2

Why Conduct a HIPAA Security Risk Analysis?

Increased Compliance Regulations and Stricter Enforcement

Greater Risk of Breach of Protected Health Information (PHI)

More Potential for Damages

1-800-721-9177


3


Increased Compliance Regulations and Stricter Enforcement

Mandatory requirement under HIPAA Security Rule

Core requirement of EHR Meaningful Use Incentive Program (both Stage 1 and Stage 2)

Ongoing Federal audit programs – OCR’s HIPAA Privacy and Security Audits and CMS’ Meaningful Use Audits

State Attorneys General empowered to enforce HIPAA

1-800-721-9177


4

Greater Risk of Breach of Protected Health Information (PHI)

Implementation of electronic health records has increased the likelihood of PHI data breach significantly

619 large breaches affecting ~22 million patient records over past 3 ½ years

Explosion in mobile device use (smartphones, tablets) and BYOD increases risk of loss, theft, and unauthorized access

Business Associates handling more electronic PHI


1-800-721-9177


5

More Potential for Damages

HIPAA-covered entities required to report and make public any PHI breach involving > 500 records

The costs of a PHI breach have increased dramatically (civil penalties, reparations, remediation, brand damage, legal fees and punitive damages)


1-800-721-9177


6

What is a HIPAA Security Risk Analysis?

Purpose of a risk analysis is to identify: Threats to the organization Vulnerabilities internal and external to the organization Consequences, impact, and harm to organizations that may

occur given the potential for threats exploiting vulnerabilities Likelihood that harm will occur

1-800-721-9177


7

What is a HIPAA Security Risk Analysis?

Scope of a risk analysis can include: HIPAA gap analysis (policies, procedures, controls) Network infrastructure security testing (vulnerability

assessment) EHR and application risk assessment Mobile device security (organization-issued and BYOD) Business associate compliance review Employee security awareness

1-800-721-9177


8

HIPAA Security Risk Analysis – References

HIPAA Security Rule §164.308(a)(1)(ii)(A) Risk analysis (Required)

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,

integrity, and availability of electronic protected health information held by the covered entity or business

associate.”

1-800-721-9177


9


Meaningful Use Stage 1“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”

1-800-721-9177


10


Meaningful Use Stage 2“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”

1-800-721-9177

hipaa security risk analysis for hospitals - a 10-slide introduction

Technology