A HIPAA security risk assessment is an essential component of achieving and maintaining full compliance with the federal law. Every covered entity and business associate should conduct periodic risk assessments, including whenever they make significant changes to operational or technology infrastructure.
Cybercriminals target healthcare operators and their business partners all the time, because protected healthcare information is enormously valuable on the black market. Moreover, the threats evolve all the time, exploiting new and old technology alike. Cybersecurity is constantly changing, hence the need for carrying out regular audits and building in privacy and security by design and default – rather than simply tacking it on later.
HHS recommends following the NIST SP 800-30 standard
Since HIPAA legislation was introduced in 1996, it is unavoidably vague when it comes to the precise nature of what a risk assessment should entail. After all, the IT landscape has changed enormously since then, with mobile devices, internet-connected smart systems, and the cloud now being integral in many healthcare computing architectures.
The US Department of Health and Human Services (HHS), that oversees HIPAA compliance, recommends following the globally recognized SP 800-30 standard. Published and regularly updated by the National Institute of Standards and Technology (NIST), the standard details all the necessary steps you should take to ensure your assets are protected.
#1. Determining the scope of the assessment
One thing HIPAA is very clear on is the scope of risk assessments. The HIPAA Security Rule concerns the integrity, availability, and confidentiality of all protected health information, either in digital or physical form. Given the diversity of today’s computing architectures, the scope is far-reaching, since it incorporates physical storage devices like hard drives and mobile devices and cloud-hosted resources like virtual machines and online storage. It should also take into consideration any channels through which PHI is transmitted, such as online patient portals and telemedicine systems.
#2. Identifying potential network vulnerabilities
Identifying potential network vulnerabilities is an essential part of any HIPAA risk assessment. Organizations must make every reasonable effort to identify the threats and vulnerabilities in their systems and operations. For example, even though there are no explicitly stated HIPAA encryption requirements, unencrypted data is highly vulnerable, especially if it’s transmitted over unsecured networks like public wireless hotspots. Other common vulnerabilities include unencrypted data at rest, weak passwords, and outdated operating systems and firmware.
#3. Quantifying the potential impact of a breach
Covered entities and business associates must also determine the likelihood of a given threat occurring, as well as the impact of that threat. This will help them prioritize the implementation of security controls and policies based on the nature of specific vulnerabilities or the sensitivity of the information in question. The output of this process should be a thorough and up to date documentation of all threats and vulnerabilities and their potential impacts on your organization and its patients or clients. Assigned risk levels, along with a list of corrective actions, should also be provided alongside this documentation.
#4. Finalize your risk assessment documentation
Once the HIPAA security risk assessment is complete and comprehensively documented, you will need to act upon it. This includes taking any corrective actions required to address all the vulnerabilities found during the assessment. This finalized documentation must clearly outline which PHI you work with, which threats and vulnerabilities concern it, and how you will seek to remediate against them. This documentation validates your efforts, and you may be asked to submit it to the necessary regulatory authorities in the event of a random check or a data breach.
#5. Testing, reviewing, and updating your security
Finally, you will need to test, review, and update your risk assessment and HIPAA compliance policy regularly. Although the HIPAA security rule doesn’t state how frequently organizations need to carry out a risk analysis, one should ideally be carried out at least once per year or whenever you make any major changes to your operations or technical infrastructure. For example, moving to a new office, implementing new hardware or cloud-hosted services, or expanding your team, all count as major changes insofar as the security risks facing your organization are concerned.
Charles IT provides an integrated and comprehensive approach towards compliance that helps you innovate at scale without adding risk. Give us a call today to schedule your HIPAA security risk assessment.