Why you can’t afford to make a mistake when performing a HIPAA risk assessment

Why you can’t afford to make a mistake when performing a HIPAA risk assessment

Healthcare is a favorite target of cybercriminals due to the high value of personally identifiable information on the black market. One of the main tenets of the HIPAA security rule is that covered entities and business associates must carry out periodic HIPAA risk assessments to determine where lie their vulnerabilities and the threats that face them. Even though HIPAA IT security requirements might be fairly vague, due partly to the fact the law was introduced in 1996, a risk assessment should ideally follow the standards and guidelines laid out by NIST.

What is a HIPAA risk assessment?

The Department of Health and Human Services (HHS) defines a HIPAA risk assessment as an accurate and thorough analysis of potential risks and vulnerabilities concerning the confidentiality, integrity, and availability of protected health information (PHI), either in physical or digital form. It applies to covered entities, which include healthcare providers, health plan providers, and clearinghouses. On top of that, anyone who handles PHI on behalf of a covered entity must also conduct periodic risk assessments and be fully compliant in the capacity of a business associate.

Related article: 7 things you need to know about the HIPAA compliance certification

Knowing where your vulnerabilities lie

You can’t protect against what you don’t know, which is why the first and most important part of conducting a HIPAA risk assessment is learning where your vulnerabilities lie. This isn’t all about technology either – it also concerns people, processes, and policies. For example, if an employee isn’t adequately trained in information security and privacy, they might be vulnerable to social engineering scams. On top of that are the many technical vulnerabilities, such as an outdated operating system or insecure communications protocols.

Determining the level of security risk

Every system and process used in your organization that concerns the handling of PHI should have a risk score. Determining the level of security risk involves classifying data according to how sensitive it is, quantifying the consequences of that data being compromised, and which threats face it. For example, if PHI is stored in a public cloud, it may face an increased risk of being breached, especially if the data isn’t encrypted and protected behind at least two layers of user verification.

Finalizing your HIPAA documentation

There’s little point in conducting a HIPAA risk assessment if you don’t document your efforts, especially from a legal perspective. HIPAA mandates that organizations should document all their compliance efforts to keep a complete record of their controls, policies, and assessments. If, despite your best efforts, your organization still falls victim to a breach, this will still validate your efforts to protect patient data, potentially absolving you of fines and litigation. You must always make sure your documentation is kept current, and that it includes an inventory of all systems and user accounts, any threats and vulnerabilities concerning them, and your efforts to mitigate those issues.

Related article: What Is HIPAA Compliance? 5 Common Mistakes IT Companies Make

Keeping your security up to date

Just because HIPAA legislation dates from 1996 doesn’t mean you can get away with using outdated operating systems, protocols, and security controls. Due to the constantly evolving nature of healthcare IT, the HIPAA IT security requirements are unavoidably vague. HITECH legislation has helped clarify the controls needed to achieve compliance, particularly regarding electronic PHI. However, it’s best to stick to a current standard, such as NIST 800-53, when evaluating, choosing, and applying your security controls. In addition to adopting the latest IT security standards, you should have a documented patch-management strategy that ensures all assets are kept up to date with the latest security fixes.

How to get started with HIPAA compliance

HIPAA compliance can be very complex, especially given the rapid pace of digital innovation across the healthcare sector. Many employees now work from home and on the move, using their phones to access sensitive information stored in the cloud, while medical facilities are adopting internet-connected smart devices to assist with patient care. Every single one of these systems and devices needs to be properly secured, and given just how many connected devices there now are in the average organization, this can be complicated. That’s why it can help enormously to obtain the help of an experienced third-party auditor to identify the risks and vulnerabilities, and remediate accordingly.

Charles IT provides comprehensive HIPAA assessments that determine how the requirements can be best applied in your business. Get in touch today to get ready for HIPAA compliance.