Author: Swati Sharma
“Among the areas likely to be a focus of OCR examinations in 2014 is whether organizations have conducted a timely and thorough HIPAA security Risk Assessment, because that was a common weak spot found across the board in the pilot audit program as well as in previous breach investigations”
-Susan McAndrew, OCR deputy director for health information privacy
Breach investigations on Hospice of North Idaho (HONI) and AHMC Healthcare have made the fact crystal clear that how much critical it is to understand the risk associated with the electronic protected health information (ePHI). The spokesperson of HHS has made the statement on the HONI case that,”HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ePHI as part of its security management process from 2005 through Jan. 17, 2012″.It requires no explanation that repercussions of these breaches are not only financial fines but reputation damage also.
What is Health information Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA) was developed in 1996 and included in the Social Security Act. The requirement for privacy regulation was realized when huge volume of health information was being recorded and exchanged electronically. Before HIPAA, there were very few laws in place to help retain a patient’s privacy when their medical records were recorded electronically rather than in the once-standard paper chart. HIPAA also known as Kennedy–Kassebaum Act, it has five titles. Title I covers protection of health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) covers the security and privacy of health data. Title III covers Tax-related health provisions governing medical savings accounts. Title IV includes Application and enforcement of group health insurance requirements. Title V covers revenue offset governing tax deductions for employers. As an information security professional point of view Title II is focus area and same we are going to discuss in details in this article.
Following steps can help organizations to achieve HIPAA compliance:
- Understand the process and defining the scope
- Assessment of the scope
- Gap Analysis
- Risk Assessment
- Develop an Action Plan
- Implementation of Action Plan
- Monitor the compliance
Why Risk Analysis in HIPAA?
Risk assessment is mandatory Administrative and Technical safeguard as per HIPAA. It says “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity.” And “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). ”
The security standard 164.306 talks about protection of CIA (confidentiality, Integrity and Availability) of the electronic protected health information that is created, maintained, received or transmitted by covered entity against known threats and reasonably anticipated unauthorized disclosures. The standard gives flexibility to choose the controls to secure the ePHI in a reasonable and appropriate manner. The control selection can be done on the following as per standard:
- Size, complexity and capability of the covered entity
- Technical Infrastructure, hardware software security capability
- Cost of the security measures
- Criticality and Probability of the Risk for ePHI
The intend is very obvious, the controls listed in HIPAA are bare minimum and risk associate with used technology or environment specific has to be assessed and addressed separately. Actually risk assessment helps organizations to optimize their security budgets and gives a strong logical business case to get support from all stake holders to implement the HIPAA controls and helps them to take the decision on critical issues like where and how money and efforts are required to be protected. A proper risk assessment result can be used to give the prioritized approach for control implementation and provides a roadmap and mile stones like which issue needs to be addressed first. The result of control implementation post proper risk assessment is more efficient and effective as it addresses the actual security concerns beyond compliance. In such a dynamic world where Technologies change so fast and threat vectors grow every day, is it not required to address upcoming threats and vulnerabilities specifically? Or should we not analyze the risk frequently to evaluate the effectiveness of the controls?
There are some misconceptions related to Risk Assessment in HIPAA:
- Risk assessment in HIPAA is one time activity
- Running vulnerability tools will be sufficient
- No expertise required to conduct risk assessment anyone in the organization can do that
- It is just a compliance requirement and has no value to business
- It is not required to have formal methodology
- Risk are already know why to do risk analysis
- There is nothing unique about risk assessment, similar organization risk assessment can be fine for my organization too
Risk Analysis and Management for HIPAA
Risk analysis for HIPAA must be formal exercises that mean it has to be comparable and structured approach. It is important to understand the business process and environment to avoid a mechanical approach. Next step is to identify the Risk Assessment methodology, there are best industry methods that can be adopted e.g. OCTAVE, ISO 27005, NIST Sp800-30, and FAIR.
Following steps provide structure approach for risk assessment:
It is important to understand that what all process, information, people, Technology including locations has to be covered in HIPAA for Risk assessment exercise.
It is critical to identify all primary assets like process handling the ePHI and records, files, datasheets containing ePHI , and secondary assets like applications and databases and other technologies and related infrastructure that are hosting the ePHI. Post identification of Assets, it must be assigned with value based on CIA (Criticality, Integrity and Availability)
The critical point in threat identification is to cover all types and kinds of threats, like deliberate, accidental internal, external, natural anything that can exploit the security flaw. A competitor of your vendor may be an example of outside deliberate threat, which has an interest to delete or expose your ePHI, just to prove that your existing vendor is not good enough.
Existing weakness and flaws including both process level and system level must be identified. It is important to identify the newly discovered security flaws. All the vulnerabilities must be classified on the basis of it ease of exploitation. An application that has SQL injection flaw, or storage of ePHI in encrypted laptop, or having bulk of critical data post retention period and without business need in insecure way can be example of easy exploitable.
Once organization has identified Assets and corresponding threats and vulnerabilities, risk can be calculated as a function of Asset Value, Level of Vulnerability and Likelihood of Threat. Risk can be calculated, qualified and quantified as per requirement. It has to be ensuring that effectiveness of the existing controls has been calculated while assessing the current risk. The important point is to remember that there are certain risks that cannot be quantified like reputational risk. All risk must be classified as per the score or risk criteria.
All Identified Risk must be mitigate do bring it to acceptable level. Risk identified must be treated, tolerated, transferred or terminated or it can be combination of any of these. In case of risk transfer you must do third-party risk assessment.
The Formal risk assessment must document the process, scope, assets, threats, vulnerability, existing controls, risk profile, risk acceptable criteria, risk mitigation method and action plan with status. Besides above mentioned information, the documentation should cover date of assessment, assessor and approver name.
Unfortunately organizations realize the fact when attack has been materialized that they have not assessed the risk properly. Risk assessment gives a way to implement Information Security in an effective and efficient way. We must remember that HIPAA Risk assessment is not a compliance status, but actual review of security posture of the organization.”
Author: Swati Sharma, PCI QSA, CISSP, CISM (Q) ISO 27001 LA, MS (Information Security and Cyber Laws –IIIT Allahabad).
The author is HIPAA & Privacy Practice In-Charge at SISA Information Security. She has experience in Information Security and Privacy, HIPAA, PCI DSS and ISMS in different verticals like leading IT companies, Payment processors, e-commerce and BPOs, etc. can be reached at firstname.lastname@example.org