As HHS enters phase two of their auditing program many companies who are Business Associates of healthcare providers are now squarely in the crosshairs. This can be particularly daunting for startups who may lack an understanding of what is required to pass an audit.
In the past I’ve written about a minimum set of things a startup should focus on as they attempt to become compliant with HIPAA/HITECH. Today we’ll look at some specifics around risk assessment, and a lightweight approach that can be used to improve your company’s posture immediately.
The required implementation specification at § 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity (and by association it’s Business Associates) to, “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
Note that the choice of risk assessment methodology is not prescribed. The covered entity is free to choose any effective approach to define and control risk.
I prefer to work within the ISO/IEC 27001 “Information technology— Security techniques — Information security management systems — Requirements”.
The first step in the eHealth Technologies risk assessment process is to identify assets including people, processes and technology that may affect confidentiality, integrity and availability of information in the organization.
- People assets can be quickly enumerated using an org chart and a definition of the roles in the company.
- Process assets may come from your procedures and work instructions, and should include both written procedures and informal practices within the company.
- Technology assets may include things such as servers, fax machines, photocopiers, printers, networks, and on and on.
An owner should be defined for each asset. The owner can be a person or organizational unit who is responsible for the asset.
The next step is to identify all threats and vulnerabilities associated with each asset. This is best done in a brainstorming session with a group of managers and employees including your operations, IT, quality and compliance teams.
We then move to assessing the consequence and likelihood of each risk.
- Likelihood is defined as the probability of a risk occurring.
- Consequence is defined as the potential outcome if a risk materializes.
Each organization should provide its own definitions for likelihood and severity where 0 is the lowest risk/outcome and 3 is the highest risk/outcome. Here’s some definitions from the standard that you can start from.
|Low consequence||0||Loss of confidentiality, availability or integrity does not affect the organization’s cash flow, legal or contractual obligations, or its reputation.|
|Moderate consequence||1||Loss of confidentiality, availability or integrity incurs costs and has a low or moderate impact on legal or contractual obligations, or the organization’s reputation.|
|High consequence||2||Loss of confidentiality, availability or integrity has considerable and/or immediate impact on the organization’s cash flow, operations, legal or contractual obligations, or its reputation.|
|Low likelihood||0||Existing security controls are strong and have so far provided an adequate level of protection. No new incidents are expected in the future.|
|Moderate likelihood||1||Existing security controls are moderate and have mostly provided an adequate level of protection. New incidents are possible, but not highly likely.|
|High likelihood||2||Existing security controls are low or ineffective. Such incidents have a high likelihood of occurring in the future.|
The overall risk is calculated by adding the likelihood and severity score. Values of 0, 1, and 2 are acceptable risks and 3, 4 are unacceptable risks that must be treated with one or more treatment options, including;
1. Selection of security control or controls from Annex A of the ISO/IEC 27001 standard or some other security controls (including HIPAA and HITECH)
2. Transferring the risks to a third party
3. Avoiding the risk by discontinuing a business activity that causes such risk
4. Accepting the risk – this option is allowed only if the selection of other risk treatment options would cost more than the potential impact should such risk materialize
The risk treatments are entered into a risk treatment report for tracking purposes. Both the risk assessment report and the risk treatment report must be periodically reviewed and updated by the risk owners until closure.
So, let’s take a simple example of a risk that’s particularly relevant given prior HIPAA breaches.
Asset: a database containing PHI for 80 million patients.
Owner: Chief Privacy Officer and Chief Technology Officer.
Risk Owner: Security Officer
Overall Risk: 4
Risk Treatment: Row level security including scrambling PHI. Encryption at rest. Enhanced security for the server including no local logins, auditing, etc.
This risk will be tracked and reviewed in biweekly reviews until all actions are closed.