Prioritization: the best HIPAA security strategy.

Tod Ferran, SecurityMetrics
By: Tod Ferran
This article was originally written for, and distributed to the members of AAPC.

Taking a prioritized approach to HIPAA compliance is the best strategy to accurately assess your organization’s security posture, not to mention comply with HIPAA. So many healthcare organizations are unsure where to begin on their HIPAA efforts, and either give up or focus on the not-as-important to do’s.

I want to address the methodology behind a successful HIPAA Risk Analysis and Risk Management Plan to make sure you feel prepared to tackle HIPAA at your organization.
Protected Health Information prioritization

Start Your Risk Analysis

A risk analysis is the first step in an organization’s Security Rule compliance efforts. It’s the "physical” that ensures all security aspects are running smoothly, and any weaknesses are addressed. Specifically, it’s a way to assess the potential vulnerabilities, threats, and risks to protected health information (PHI) at your organization.

A risk analysis is foundational to your security! You can’t be HIPAA compliant without one!

Let’s dive into the methodology of how to conduct a risk analysis the HHS would be proud of.
Looking for a risk analysis template?

Step 1: Define scope by defining protected health information flow in your environment 

To identify your scope (the areas of your organization you must secure), you have to understand how patient data flows within your organization. If you know all the places PHI is housed, transmitted, and stored, you’ll be able to better safeguard those potential vulnerable places.

There are four main locations to consider when defining your scope.

Where PHI enters your environment
In the PHI lifecycle, identify all inputs. By doing this, you can make sure to identify exactly where security should begin at your organization.

When considering the origination of PHI, think of both new and existing patient records. PHI can begin with patients filling out their own information on copy paper, to business associates faxing you asking for more information about a current or former patient.

SEE ALSO: 7 HIPAA Myths and Misunderstandings, Debunked

What happens to protected health information in your environment, including where it is stored
It’s not just enough to know where PHI begins. You must know exactly what happens to it once it enters your environment. Does it go directly to accounting? Is it automatically stored in your EHR? If it is emailed, is it encrypted?

To adequately understand what happens to PHI in your environment, record all hardware, software, devices, systems, and data storage locations that touch PHI in any way.

Where protected health information leaves your environment
A lot of workforce members forget they must protect PHI throughout its entire lifecycle. That includes when it leaves your hands. If PHI leaves your organization, it is your job to ensure it is transmitted or destroyed in the most secure way possible.

Where does protected health information leak?
Now that you are the expert on what happens during the PHI lifecycle, it’s time to find the gaps. These gaps in security and environment weaknesses are the whole reason we define scope. Weaknesses provide the ability for unsecured PHI to leak in or outside your environment.

The best way to find all possible leaks is by creating a PHI flow diagram. Essentially, a PHI flow diagram documents all the information you found above, and lays it out in a graphical format. A PHI flow diagram isn’t a requirement, but it is a lot easier to understand PHI trails when looking at a diagram.

Step 2: Identify vulnerabilities, threats, and risks to your patient data

Now that you know where PHI is stored, how PHI flows in your organization, and can better understand your scope, you have to find the problems within that scope. You must identify:
  • What vulnerabilities exist in the system, applications, processes or people.
  • What threats, internal, external, environmental and physical, exist for each of those vulnerabilities.
  • What is the probability of each threat triggering a specific vulnerability? This is risk.
What are your vulnerabilities?
A vulnerability is a flaw in components, procedures, design, implementation, or internal controls. Vulnerabilities can be fixed.

Examples of vulnerabilities I’ve seen while conducting a HIPAA risk analysis:
  • Unpatched operating system software
  • Website coded incorrectly
  • Lack of office security policies, or failure to follow established policy
  • Misconfigured or no firewall
  • Computer screens in view of public patient waiting areas
What are your threats?
A threat is the potential for a person or thing to trigger a vulnerability. Generally, it’s difficult for threats to be controlled. Even though most remain out of your control to change, they must be identified in order to assess the risk. Physical location, organization size, and systems all have the potential to be a threat.

Examples of threats I’ve seen while conducting a HIPAA risk analysis:
  • Geological threats, such as landslides, earthquakes, and floods
  • Hackers downloading malware onto a system
  • Inadvertent data entry or deletion of data
  • Power failures
  • Chemical leakage
  • Well-meaning and malicious workforce members
  • Business associates
What are your risks? 
Risks are the probability that a particular threat will exercise a particular vulnerability, and the resulting impact on your organization.

Let me explain vulnerabilities, threats, and risks with an example.

In a system that allows weak passwords, the vulnerability is the fact that the password is vulnerable to attack. The threat is that a hacker could crack the password and break into the system. The risk is the probability of a hacker exploiting this weakness.

Examples of risks I’ve seen while conducting a HIPAA risk analysis:
  • Remote access to a PHI system with a weak password. There is an extremely high probability (high risk) that an external hacker will brute force the password and gain access to the system.
  • Windows XP machine with access to the Internet. There is an extremely high probability (high risk) that an external hacker will exploit security flaws (there is no longer support for WinXP) using malicious software and gain access PHI.
Should you get an onsite HIPAA audit? Read the pros and cons.

Analyze HIPAA risk level and potential impact
Now you’ve identified any possible security problems in your organization.
It’s time to decide what risks could and will impact patient security at your organization.
To analyze your risk level, you must first consider the following:
    HIPAA priority
  • Likelihood of occurrence: Just because you are threatened by something, doesn’t necessarily mean it will have an impact on you. For example, an organization in Texas or Vermont could be struck by a tornado. However, the likelihood of a tornado striking Texas is much higher than Vermont. So, the Texas-based organization’s tornado risk level will be higher than Vermont. Here’s another example. Two organizations, one a large hospital group in New York City, and the other a single provider office in Utah, have remote access through the Internet without two-factor authentication and set up with a weak password. The risk is the same for both – Extremely high!
  • Potential impact: What is the effect the particular risk you are analyzing would have on your organization? For example, while a computer screen might accidentally show PHI to a patient in the waiting room, it probably won’t have as big of an impact as a hacker attacking your unsecured Wi-Fi and stealing all your patient data.
Every vulnerability and associated threat should be given a risk level. I typically assign mine high, medium and low. By documenting this information, you’ll have a prioritized list of all security problems at your organization.

For more examples on how to start a HIPAA risk analysis, read this blog post.

Subscribe for more healthcare security articles

Create Your Risk Management Plan

The Risk Management Plan is the compliance step that works through issues discovered in the risk analysis and provides a documented instance proving your active acknowledgement (and correction) of PHI risks and HIPAA requirements.

What should be included in a Risk Management Plan?
Although the risk analysis outcome should directly feed into a Risk Management Plan, plans should also include all HIPAA Security, Privacy, and Breach Notification requirements. For example: identification and documentation of job roles is a HIPAA requirement, but doesn't necessarily come from a risk analysis. As a general rule, including all risks and HIPAA requirements, your plan will likely have 100-200 to do’s.

Although specific items included in a Risk Management Plan vary, here are a few industry best practices to include.  
  • Each HIPAA rule and its corresponding resolution.
  • Risk level assigned in your Risk Analysis.
  • Date completed (for both HHS documentation and your own records.) 
  • Completed by section (great for practices where two or more people are completing a Risk Management Plan together.)
  • Notes section, just in case you want to jot a reminder for later.
I also like defining my HIPAA goals in my Risk Management Plan, such as:
  • When do you want to complete your Risk Analysis?
  • When do you want to complete your Risk Management Plan?
  • When do you plan to train employees?

Identify top security measures based on top HIPAA risks
The most important part of the Risk Management Plan is planning what you’re going to do about the risks you identified in your Risk Analysis. Starting with the top-ranked risks first, identify the security measure that fixes that problem. For example, if your risk is employees throwing PHI in the trash, your security measure could be quarterly employee security training and replacing trashcans with shredders.

You might also be interested in: A Buyer’s Guide to HIPAA Compliance

Implement, Rinse, Repeat

After you make your plan for risk management, it’s time to implement. A prioritized HIPAA compliance plan is truly a rinse and repeat process. One of the most important parts of HIPAA is documentation. If you don’t document, you can’t prove to the HHS that you’ve performed a complete and thorough risk analysis. They will want to see documentation, your risk management plan, and monthly progress on addressing the items identified in that risk management plan.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

From EHR Compliance To Total HIPAA Compliance