Kevin Atkins, CAHIMS

Engagement Manager

HealthPOINT at Dakota State University

What to expect from a HIPAA Security Risk Assessment (SRA)

Objectives

Discuss HIPAA Requirements for a SRA

Define what constitutes a risk

Identify the elements of an SRA

Origins of Security Risk Assessment

HIPAA Security Rule

Proposed in 1998………………..…Enacted in 2003

Mandatory in 2006

45 CFR (Code of Federal Regulations) Part 160

Subparts A & C of Part 164 (164.302 – 318)

Health Information Technology for Economic and Clinical (HITECH) Act

Office for Civil Rights (OCR) responsible for guidance and enforcement

Purpose of Security Rule

Establishes national standards to protect ePHIIncludes Implementation Specifications

Requires Administrative, Physical, Technical safeguards

Ensure confidentiality, integrity, security of ePHI

All ePHI created, received, maintained or transmitted is subject to Security Rule

Requires entities to

Evaluate risks and vulnerabilities

Implement reasonable and appropriate security measures (beef this up little)

HIPAA Requirements

Security Management Process Standard

164.308(a)(1)

Four required Implementation Specifications

164.308(a)(1)(ii)(A)

Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

HIPAA Definitions

Vulnerability

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Threat

The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

Natural (floods, earthquakes, tornadoes)

Human (hacking, unauthorized access)

Environmental (power failure, chemicals, pollution)

HIPAA Definitions

Risk

NIST SP 800-30: “The net mission impact considering (1) the probability that a particular threat will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and (2) the resulting impact of this should occur”.

Arise from legal liability or mission loss due to:

• Unauthorized (malicious or accidental) disclosure, modification, or destruction of information

• Unintentional errors and omissions

• IT disruptions due to natural or man-made disasters

• Failure to exercise due care and diligence in the implementation and operation of the IT system.

HIPAA Definitions

IN OTHER WORDS!!

In order to have a risk you must have

An asset (something of value) AND

A threat (typically something external) OR

A vulnerability (typically something internal)

If any are taken away, there is no risk!

SO

Risk is a function of:

(1)The likelihood of a given threat triggering or exploiting a particular vulnerability

(2)The resulting impact on the organization

Risk-Level Matrix

Sample risk-level matrix

Discussion item:Low level threat – but DEVASTATING impactChart shows low risk. Agree or disagree? Why?

Qualitative vs Quantitative

Quantitative Assessment

Cons: Exhaustive, costly, time-consuming

Pros: Identify greatest risk based on financial impact

Qualitative Assessment

Cons: Subjective, value of loss not quantified

Pros: More common, quicker to complete, focus is on understanding the risk

List different tools available for each (Delphi Technique)

2 or 3 slides

Qualitative & Quantitative tools

Qualitative

Delphi Technique: risk brainstorming – identify, analyze, evaluate risk on individual and anonymous basis.

Structured What-If Technique (SWIFT): team-based approach – uses “What If” considerations.

https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

HealthPOINT: hybrid approach (qualitative on the front end, quantitative on back end; quantitively algorithm can be overridden in final report.

Quantitative

Financial sector, chemical process industry, explosives industry (Wikipedia)

https://en.wikipedia.org/wiki/Quantitative_risk_assessment_software

Elements of a Security Risk AssessmentScope

Includes potential risks and vulnerabilities to the

confidentiality, availability and integrity of ALLePHI that an organization creates, receives, maintains, or transmits. [164.306(a)]

**REMEMBER** ePHI IS more than medical records

Billing information Appointment informationInsurance claims information Reports

What am I forgetting?

Elements of a Security Risk AssessmentData Collection

Create an ePHI Inventory

Must identify (and document) where the ePHI is stored, received, maintained or transmitted.

Where to look for ePHI

Elements of a Security Risk AssessmentIdentify and Document Potential Threats and Vulnerabilities

Identify and document reasonably anticipated threats to ePHI:

Unique to circumstances of environment

If exploited create risk of inappropriate access or disclosure

Elements of a Security Risk AssessmentAssess Current Security Measures

Assess and document security measures used to safeguard ePHI, whether already in place, and if configured and used properly.

Will vary among organizations

Small orgs – fewer variables to deal with

Large orgs – many variables

Workforce

IT systems

Locations

Elements of a Security Risk AssessmentDocument Business Associate Agreements

Business Associates were (are) focus of OCR during Phase II audits

OCR requested specific information

27 data elements

Business Associate Name, type of service, 1st/2nd points of contacts – fname, lname, address, phone, fax, email, etc. etc.

OCR designed sample template – NOT downloadable

Email me for a copy ☺

Elements of a Security Risk AssessmentReport

Final element of a SRA is the report.

Presents/summarizes results

Used to guide/prioritize remediation

Final Report Example

Summary

A Risk Analysis

Designed to aid you in protecting the confidentiality, integrity, and availability of ePHI

May be required for Medicare and Medicaid incentive payment programs (MIPS, Meaningful Use, etc.)

Many methods available (consultant, checklist – (ill advised), online tool, etc.)

ePHI IS more than just the medical record

The End

Kevin Atkins, CAHIMS

Engagement Manager

HealthPOINT at Dakota State University

Kevin.Atkins@dsu.edu

(605) 270-1642

THANK YOU