What is a HIPAA security risk assessment, and who needs one?

What is a HIPAA security risk assessment, and who needs one?

The healthcare sector is a favorite target for cybercriminals and state-sponsored hackers. Contrary to popular belief, things like stolen medical records are worth far more on the dark web than payment cards. A single, complete medical record can be sold for $1,000. That’s why it’s essential to take every reasonable step to protect patient health information (PHI), both for the sake of your organization and your patients or clients. Conducting a HIPAA security risk assessment is the first big step towards ensuring your assets are safe from the myriad of threats out there.

Who needs to be HIPAA compliant?

Every organization that stores, transmits, or processes PHI needs to be HIPAA-compliant. The legislation applies to two groups –

  • Covered Entities: Include healthcare providers, health plan providers, and clearing houses.
  • Business Associates: Broader group, including any party that handles PHI on behalf of a covered entity, such as an accounting firm, IT service provider, or consultancy firm.

Steps to Creating Your HIPAA IT Security Policy

No. 1 | Determine what data you have access to.

The first step towards formulating a HIPAA IT security policy is to determine what data you have access to, which systems it's stored in, and which controls are in place to protect it while in storage or transit.

This can be a lot more complex than it sounds, especially in the age of cloud and mobile computing. Medical records and other personally identifiable information may be stored on a multitude of physical devices, both in-house and off-site. Before you can protect your assets, you need to maintain oversight by building a comprehensive and up-to-date inventory.

Related article: What Is HIPAA Compliance? 5 Common Mistakes IT Companies Make


No. 2 | Assess your current security measures.

The next step to creating a HIPAA IT security policy involves assessing your existing security measures to ensure they meet the latest security standards.

HIPAA standards were enacted when the technology landscape looked very different from today. What it means for us now is that the legislation can be vague regarding which technical controls need to be in place. As such, the best way to assess your current security measures is to do so according to a globally recognized standard like NIST SP 800-30. If your measures conform to the standard, then you should be compliant with the HIPAA security rule.

No. 3. | Identify your organization’s cyber vulnerabilities.

No two enterprise computing architectures look the same. There are few universal standards, even in individual sectors like healthcare. As such, you need to exhaustively evaluate your existing architecture not only for current security measures but also for vulnerabilities that may have gone unnoticed. For example, cyber vulnerabilities might include things like:

  • The use of outdated network protocols
  • Unpatched firmware and operating systems
  • Weak or stolen user credentials

These need to be addressed to reduce risk and ensure the success of your HIPAA IT security policy.

No. 4 | Manage document storage and requirements.

A HIPAA security risk assessment also incorporates document storage requirements that align with data retention rules and have the required redundancies in place. For example, medical records typically need to be stored for at least six years from their creation or most recent update. To ensure the maximum availability of your services, as well as the systems put in place to protect them, you need to have a robust backup and disaster recovery plan consisting of multiple redundancies and automated rollovers.

No. 5 | Achieve breach notification requirements.

The HIPAA breach notification rule requires covered entities to notify their patients if their PHI has been subjected to a data breach. Breaches involving more than 500 individuals require covered entities to notify the relevant authorities in their state or jurisdiction, including a local media outlet. All notifications must be made within 60 calendar days following the discovery of a data breach. As such, you need a clearly documented process for notifying every relevant party of an event, should the worst happen.

No. 6 | Integrate compliance with your IT strategy.

Security, privacy, and regulatory compliance have often been treated reactively, with systems and processes tacked on after, rather than during, the development and implementation stages of a new system. However, even if the HIPAA security rule doesn’t explicitly state the need for proactive security, it’s always better to take every reasonable step to reduce risk right out of the gate.

Compliance should be an integral and inseparable part of your broader IT strategy, and it should be factored into the rollout of every new hardware device, software program, and user account.

Charles IT carries out comprehensive HIPAA security risk assessments that help healthcare providers and their associates innovate quickly without increasing risk. Get in touch today to schedule your assessment.

Editor's Note: This post was originally published in March 2021 and has been updated for accuracy and comprehensiveness. 

Cybersecurity and HIPAA Compliance: A Comprehensive Guide for Healthcare Organizations

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”