The HIPAA Security Rule places so much emphasis on the importance of risk analysis that it is positioned as the first requirement of HIPAA compliance. Yet, as we conduct HIPAA compliance gap assessments for organizations, it is rare to find that a formal IT Risk Assessment has been completed, and rarer still to find that the IT Risk Assessment addresses the full requirements.
What is an IT Risk Assessment?
At its core, an IT Risk Assessment helps a business identify where and how medically sensitive data is gathered, stored, and used. This information is then used to identify any gaps in security that might enable penetration into IT systems, resulting in a data breach. Once those gaps are identified, a strategy can be created and implemented to protect sensitive data per HIPAA requirements, as fully as possible.
Business Types That Need to Conduct an IT Risk Assessment
HIPAA requires both covered entities and their business associates (e.g., service providers) to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.
If you create, receive, maintain, or transmit on behalf of a healthcare provider or payer, you are most likely a business associate, by HIPAA definition.
The Purpose of an IT Risk Assessment
The purpose of an IT Risk Assessment is to safeguard ePHI. Keeping this personally identifiable information safe from data breaches better protects patients against financial fraud, medical and general identity theft, and further data breaches from personally convincing phishing messages.
Additionally, having this information empowers a business to fully comprehend its compliance posture, which can positively impact the outcome of an audit, and its own organizational baseline for risk tolerance. If potential vulnerabilities are identified prior to an incursion, additional data security investment needs can be properly investigated and invested in. Avoiding being in the news for a data breach, especially one that could have easily been fixed, is always good for business. And once key security performance metrics are identified, IT security becomes more sustainable.
The importance of an IT Risk Assessment is also heavily financial. Between 2018 and 2022, there was a 107% increase in healthcare data breaches and the Office of Civil Rights (OCR) collected $802,500 in settlements and $100,000 in civil monetary penalties. With cyberattacks increasing in the healthcare industry, OCR and other HIPAA policing agencies are taking a strict stance on adherence to the HIPAA Security Rule.
OCR’s comments on the importance of IT Risk Assessment in HIPAA compliance are a common theme. Whether in breach-and-fine press releases or speaking at conferences, OCR frequently calls out the lack of a thorough risk analysis on its short list of indicators that an organization has not established a culture of compliance. In other words, if OCR does not see a thorough IT Risk Analysis in your company’s proof of adherence to HIPAA Rules, it assumes you do not take HIPAA compliance seriously. If a data breach occurs, this can mean the difference between getting a simple corrective action versus a hefty monetary fine.
What Should an IT Risk Assessment Include?
An IT Risk Assessment involves three aspects: mapping data to applications, assessing risk, and remediating vulnerabilities. The following can be used as an informal, high-level IT Risk Assessment checklist.
-
- Take inventory of your ePHI. Find out where it is created, stored, maintained, and transmitted, in addition to how it is used.
- Document this information as comprehensively as possible. The ePHI systems environment or inventory must include formal documentation that identifies the applications, data storage systems, system components, and service providers that support or protect the ePHI. This includes:
- All applications within the business that query or use the ePHI.
- The geographical location where the data resides, including third-party cloud and servers, and any redundancy to protect these in case of natural disaster.
- The flow of data between applications and databases. Consider what handshakes are required along this pipeline.
- Any security controls already in place, such as employee access levels to see patient demographic data versus medical data.
- Define the following with respect to the ePHI:
-
- Data classification: What is the potential impact to the organization if this data is compromised? This aids in determining risk level.
- Data type: Developing a taxonomy of classification allows tagging each piece of data. A variety of tools can then use this metadata to enhance controls.
- Data owners: Who is responsible for collecting, storing, transmitting, and protecting this data? This helps in creating a robust security plan.
- Assess the areas at each point within this environment where there are vulnerabilities. This should be as extensive and detailed as possible, using a risk matrix for consistency and clarity. While there is some tolerance for risk in every system, not all risk is considered to be of the same importance.
Consider:- Software certifications and timely security updates
- Employees who have access to more data than needed for job function
- Outdated user permissions from shifts in roles
- Collaboration tools, such as Slack or Teams
- HR software delays in denying access after employee termination
- Retention policy periods and how they are enforced
- Methods and tools used to destroy expired ePHI
- Identify which risks to ePHI are unacceptable, and include this in the documentation.
- Develop a remediation plan to address these risks. There are four common risk remediation strategies: avoidance, mitigation, transfer, and acceptance.
- An example of risk avoidance might be limiting the storage of customer data to those absolutely necessary.
- Risk mitigation may involve implementing controls to prevent or detect vulnerabilities.
- Common risk transfer strategies include outsourcing certain technology stacks to third-party vendors and purchasing a cyber security insurance policy.
- Finally, if the risks posed by certain threats will not pose material impacts on assets, risk acceptance may be reasonable.
IT Risk Assessment Tools & Frameworks
In terms of IT Risk Assessment tools, automated solutions that can streamline the process of scanning data repositories and analyzing storage, handling, and security of ePHI are critical in saving time and avoiding human error. These might include the code scanning feature in GitHub or vulnerability scanning tools such as Tenable or Invicti, among others.
A HIPAA compliance gap assessment conducted by a third party, in addition to internally run IT penetration testing or hired “white hat” hack events, can be invaluable in identifying areas of vulnerability.
In 2014, OCR released a Security Risk Assessment (SRA) tool to help reduce the complexity of the IT Risk Assessment process. The SRA can help identify vulnerabilities, but should not be considered a comprehensive tool or a guarantee of HIPAA compliance. In determining what methodologies to use, it may also be helpful to reference the National Institute of Standards and Technology’s (NIST) SP 800-30 Guide for Conducting Risk Assessments.
IT Risk Assessment Methodologies
As far as remediation goes, IT Risk Assessment methodologies focus on data-centric security. These include implementing the principle of least privilege, which grants only the most basic level of access to ePHI that an employee needs in order to perform their job.
Multifactor authentication controls around sensitive data, regular patching, automated passive monitoring, and annual security risk awareness training can add a layer of protection. In short, these methodologies go beyond the traditional network security approach and focus on protecting data in transit, as well as within stable internal systems.
One of the most important areas in which to focus remediation is in the implementation of policies. The OCR notes that one of the most frequent reasons for HIPAA Security Rule audit failure is a lack of adequate policies and procedures. Once developed, these must be documented and implemented in a sustainable manner. For instance, implementing mandatory security policy training or an annual audit of procedures to ensure accuracy and relevance are maintained.
Helpful information on where to start with these concepts can be found in the HHA Security Rule Educational Paper Series.
Let Us Conduct Your IT Audit Risk Assessment
Set your business up for greater success, with a HIPAA compliance audit by Linford & Company. Our team of auditors will assess your systems with minimal disruption to your business and input that assists to improve processes and internal controls that further solidify HIPAA compliance. Please feel free to contact us today to learn more.
This article was originally published on 10/11/2012 and was updated on 5/20/2024.
Jenny has been in risk advisory and compliance since 2008. She spent 7 years at Ernst & Young where she was responsible for both audit and advisory engagements across financial services, energy, technology, and healthcare sectors. Since 2015, she has been focusing on serving SaaS-based companies, assessing their control environments as part of SOC reporting, HIPAA compliance, and HITRUST certification initiatives. She is a certified information systems auditor (CISA), HITRUST assessor (CCSFP), information systems security professional (CISSP), and AWS cloud practitioner. Jenny received her Bachelor of Science and Master’s degrees in Information Systems Management from Brigham Young University.