Responding to an OCR breach investigation with an OCR-quality risk analysis

Health organizations continue to struggle meeting OCR’s expectations for risk analysis as required by the HIPAA Security Rule. OCR findings of an insufficient risk analysis can delay resolution of a breach investigation and can lead to monetary settlements or civil money penalties.

Lack of sufficient risk analysis is a common violation identified during OCR investigations. In fact, during the past 10 years, 88% of the 42 organizations that have incurred monetary settlements or civil money penalties related to disclosure of ePHI were found to have failed to conduct a sufficient risk analysis.2 As a result, many health organizations are turning to third-party information risk management (IRM) specialists for help in responding to the risk analysis requirement.

An OCR breach investigation/risk analysis case study

Clearwater Compliance recently assisted a healthcare organization in meeting OCR’s requirement for a risk analysis after a breach investigation was initiated. Because Clearwater Compliance’s work is conducted under attorney/client privilege in breach investigation cases, the name of the organization must remain confidential. For this case study, we will refer to our client as Unnamed Healthcare Organization (UHCO).

Two years ago, UHCO’s IT staff discovered they were unable to communicate with one of their servers. They quickly determined an account on the server was compromised by a hacker. Further analysis determined that ePHI was exposed as a result of the hack. UHCO’s Privacy Officer, “Jane Doe,” reported the breach on the OCR website and UHCO retained an outside contractor to investigate.

Two months later, UHCO’s Privacy Officer received formal notice from OCR of an investigation of the breach. The notice cited eight potential HIPAA violations and asked UHCO to provide:

• A description of any investigation and actions taken following the breach
• Relevant policies and procedures
• A copy of the breach notification sent to affected individuals
• Every risk analysis conducted over the last three years
• Documentation of security measures in place and any post-breach changes

OCR also provided notice of the potential penalties for violations and asked that UHCO respond within 14 days.

UHCO’s Privacy Officer responded by providing an account of actions taken post breach, copies of policies and procedures, a copy of the notice sent to affected individuals, and the executive summaries of security assessments conducted by a third-party contractor in 2013, 2014, and 2015. The executive summaries described findings and deficiencies discovered during technical testing.

Technical testing does not qualify as risk analysis

Eight months later, OCR sent a follow-up notice to UHCO’s Privacy Officer notifying her that the security assessment executive summaries she had provided did not depict an enterprise-wide evaluation of all potential threats and vulnerabilities and therefore did not meet the requirements for risk analysis set forth in the HIPAA Security Rule. OCR again requested that UHCO provide risk analysis performed before and after the breach and documentation that UHCO implemented security measures to sufficiently address risks identified in the requested risk analysis. UHCO was given 20 days to respond.

UHCO’s Privacy Officer responded by providing a 2014 Security Assessment (the full technical testing assessment which formed the basis of the executive summary previously provided). This assessment detailed the results of external and internal penetration testing, web application assessments, wireless network testing, and social engineering.
She also provided OCR with the results of a 2016 HIPAA Risk Assessment conducted by a second third-party contractor. This assessment was in fact a compliance gap assessment conducted relative to ISO/IEC 27000 information technology security standards.

Compliance gap assessment does not qualify as risk analysis

One month later OCR responded, stating that the risk assessments UHCO provided did not:

• Include an enterprise-wide risk analysis
• Cover all devices and systems that contained ePHI in transit or at rest
• Identify all threats and vulnerabilities to these devices and systems
• Include probabilities or impacts for those threats and vulnerabilities

OCR again requested that UHCO’s Privacy Officer provide a risk analysis and documentation that UHCO had implemented security measures to address the risks identified in the risk analysis. UHCO was given another 20 days to respond.

UHCO’s Privacy officer responded by providing additional information including:

• Results of penetration, web application, and vulnerability testing by a third contractor
• A hardware and software inventory
• Lists of threats and vulnerabilities maintained by the IT staff
• A remediation plan resulting from the penetration and vulnerability testing

UHCO’s privacy officer hoped this new documentation would finally meet OCR’s requirements. However, once again, she was disappointed. Despite submitting “risk analysis” documentation from three different third-party contractors, UHCO was still not in compliance.

Understanding what an OCR-quality risk analysis involves

Within a month, OCR let UHCO know they had still not met the risk analysis requirement. OCR gave UHCO additional time to respond. It was at this point that UHCO engaged the services of Clearwater Compliance.

Clearwater Compliance specializes in helping healthcare organizations establish, operationalize, and mature their HIPAA compliance and cyber risk management programs. Some organizations engage Clearwater’s services proactively, before a breach occurs.

Others, like UHCO, reach out for help after an OCR breach investigation is initiated.

As UHCO reviewed OCR’s correspondence and better understood the comprehensive nature of a bona fide risk analysis, they realized they had neither the software tools nor the in-house expertise they needed to meet OCR’s expectations. One of the reasons they chose Clearwater Compliance was because Clearwater Compliance has developed a proprietary software suite that simplifies and supports the risk analysis process.

Per the HIPAA Security Rule, risk analysis documentation must include an inventory of all information assets used to create, maintain, retrieve, or transmit ePHI and the threats, vulnerabilities, likelihood, impacts, and controls associated with each. Many organizations end up spending weeks developing endless iterations of Excel spreadsheets in an attempt to capture the level of detail required for a bona fide risk analysis. Clearwater’s IRM|Analysis Software has been specifically designed to meet the HIPAA Security Rule risk analysis requirements and is pre-populated with device, threat, vulnerability, and controls information.

In this particular case, UHCO already had a comprehensive hardware and software inventory that could be loaded into the software. All that was necessary to complete the risk analysis was the identification of security controls, probabilities, and impacts. UHCO quickly completed this work over a few days in a workshop setting facilitated by the Clearwater Compliance team, with minimal impact on UHCO’s day-to-day operations.
Acknowledging the confusion around what is required for proper risk analysis, UHCO’s General Counsel commented, “When we submitted a risk analysis and risk management plan from Clearwater, OCR approved them and closed our case.”

Key takeaways: OCR’s patience, UHCO’s persistence

UHCO did many things right in this case. They took prompt action to investigate and implement corrective actions once the breach was discovered. They had appropriate policies and procedures in place before the breach. They regularly conducted penetration and vulnerability testing and corrected issues when identified. Perhaps most importantly, they were responsive to OCR’s ongoing requests and tried to get it right. And to their credit, OCR was patient as UHCO made continuing good-faith efforts to meet the risk analysis requirement.

UHCO’s main issue was that they failed to perform risk analysis as required under the HIPAA Security Rule and described in OCR Guidance. Performing enterprise-wide risk analysis is not the same as performing technical testing or gap analysis. It is also not a trivial undertaking, since an OCR-quality risk analysis requires:

• Identification of all systems or devices used to create, retrieve, maintain, and/or transmit ePHI
• Identification and documentation of all potential threats and vulnerabilities to the organization’s systems and devices
• Assessment and documentation of current security controls associated with the organization’s systems and devices
• Determination of the likelihood of threat occurrences
• Determination of the potential impact of the threat occurrences
• Determination of level of risk
• Detailed documentation, ongoing review and documented updating of the risk analysis
  As UHCO experienced, anything less than this is not—in OCR’s opinion—a true risk analysis.

References:

1. U.S. Department of Health and Human Services Office for Civil Rights (OCR). “Risk Analyses vs. Gap Analyses – What is the difference?” April 2018.
2. Clearwater Compliance. Statistical Analysis. July 2018.