- When preparing your team, cast a wide net. To get the most comprehensive assessment possible, you’ll want to ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas – from IT and operations to human resources, compliance and legal to other key supervisors or managers. Once you’ve identified these stakeholders, establish protocols for tasks, timelines and communication among the team, just to make sure everything runs smoothly.
- Fully scope the risk assessment. Do you know what your compliance obligations are? The HIPAA Security Rule requires “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI) held by the covered entity.” However, if you are working on attesting to Stage 1 meaningful use, your focus will likely be narrowed to that which specifically applies to your certified electronic health record (EHR) technology. For Stage 2, you will need to ensure that you have addressed encryption and/or security of data at rest. Regardless of your compliance requirements, make sure the scope of the assessment is clearly defined, and that your team understands and recognizes their focus.
- Take stock of your data. One of the key components of any assessment is determining how PHI and EPHI are received, stored, transmitted, accessed or disclosed. Once you have fully scoped your assessment, you can begin gathering the relevant data – a good place to start might be reviewing past or existing projects, performing interviews, reviewing documentation, or using your organization’s standard data-gathering techniques, if applicable. Be sure to include data that might be stored with a business associate or third party, or on removable media and portable computing devices. As part of the process, you’ll want to document your methods used to gather EPHI or PHI.
- Address anticipated or known vulnerabilities. It’s likely that you already have identified potential vulnerabilities and addressed the likelihood they would be exploited by a potential threat source. If they fall into the scope of your assessment, you’ll want to document this beforehand. The HIPAA Security Rule requires you to take into account the probability of potential risks to EPHI, which – taken into consideration along with the results of your assessment – will assist you in identifying “reasonably anticipated” threats that you will be required to address.
- Document, document, document. Even though it has been mentioned already, the importance of proper documentation cannot be stressed enough. HHS will require analysis in writing, and the material you’ve gathered throughout your risk assessment will meet that requirement, along with your documentation of the corrective actions taken to remediate any problems uncovered by the assessment.
- Be prepared for follow-up after the risk assessment is completed. This is critical, particularly for those attesting to Meaningful Use; a risk assessment isn’t enough. An organization must be willing to “implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” Failure to address identified security gaps and vulnerabilities puts the organization at risk and subject to corrective action.
- Regularly check on your progress. As a final note, HHS recommends performing risk assessment periodically, particularly after a change in technology or business operations that could adversely affect the security of your PHI or EPHI. Make sure your team is prepared for this ongoing responsibility. Conducting regular risk assessments can potentially stave off vulnerabilities and incidents that could ultimately lead to a data breach, making it a best practice for any organization looking to manage risk.
Danny Creedon, CISA, CISM, is a Managing Director with Kroll Advisory Solutions Cyber Investigations Practice based in Philadelphia while the Cyber Security and Information Assurance practice is in Nashville. He has more than 20 years of experience in information systems, with a focus on application programming, systems programming, project management and information systems auditing.