HIPAA Secure Now!
Assessing risk factors – such as high blood pressure or cholesterol – alerts physicians to potential heart health problems in their patients.
Similarly, conducting a security risk assessment (SRA) enables small and medium-size medical practices to identify where they are vulnerable to a major threat to their own wellbeing: data breaches. A data breach can be catastrophic for both a practice and patients, as medical identity theft can cause tremendous harm.
Imagine this: A patient walks into a medical office, and there is a sign that says, “We do not protect patient information.” What do you think most patients would do? They would walk out. Patients are very concerned about the privacy and security of their information these days. They expect and assume that their providers are taking care of this.
The SRA is not only an essential first step in protecting a practice from damaging breaches. It also remains a requirement for complying with the Security Rule under HIPAA.
Yet many physicians’ offices with 20 or less employees still do not fulfill HIPAA requirements for preventing electronic protected health information (ePHI) from falling into the hands of identity thieves. These medical practices have resisted the idea that their small operations could be worthwhile targets for data thieves. But now that hackers have become more sophisticated, and patient information is a hot commodity on the black market, hackers are hitting doctors’ offices of all sizes.
Medical practices may also be fined if they do not report a breach properly – as can happen when a laptop is stolen. While doctors may contend their laptops contain no information that identifies patients, the OCR (Office of Civil Rights) takes a different view, which can be summed up as “guilty until proven innocent.” The OCR assumes that laptops used in medical settings have ePHI on them, and if the device cannot be recovered, it is difficult to prove otherwise. The OCR’s position can be bolstered by statistics showing that six out of 10 HIPAA data breach violations can be traced to lost or stolen laptops.
Fortunately, the twin challenges of fending off data thieves along with potential OCR audits can be met by taking a proactive approach to securing sensitive patient information, starting with an SRA.
Here are the main elements of a comprehensive risk assessment designed to show an organization how it is protecting its data, and what gaps it needs to fill:
1. Identify and document all the ePHI repositories
Medical practices often operate under the assumption that sensitive patient data is stored in electronic health records (EHRs). But that assumption leaves them wide open to thieves who can pick that information off emails, Excel spreadsheets, Word documents, letters sent to patients, PDFs with scanned explanations of benefits, or even ultrasounds and MRIs. That is why the risk assessment must begin with efforts to determine exactly where all ePHI is stored.
2. Identify and document potential threats and vulnerabilities for each repository
Once the repositories of patient information are identified, the next question naturally follows: How is it being protected? The risk of fire or flood that could destroy servers must be taken into account. And the theft or loss of laptops, thumb drives, cell phones, and other mobile devices cannot be overemphasized as a threat to data security.
3. Assess current security measures
Existing security measures could include encrypting data and backing up computers. It is also necessary to question employee policies in this section of the risk assessment. For instance, are termination procedures in place to stop terminated employees from accessing patient information?
4. Determine the likelihood of threat occurrence
Once the location of patient information is determined and potential vulnerabilities are identified, the likelihood of an actual breach needs to be ranked as high, medium, or low. It may be more likely, for instance, that an unprotected ground-floor office could be broken into than one located in a high-rise with around-the-clock security. Then again, it could be easy for employees to lose cell phones or other devices containing patient information, so that threat might be ranked as “highly likely.”
5. Determine the potential impact of threat occurrence
If a physician loses a laptop with 1,000 patient records on it, the impact on a practice could be huge. Look for devices that can store large amounts of patient data. Those have the highest potential impact if they are compromised.
6. Determine the level of risk
The combination of the likelihood of a threat and its impact determines the level of risk. Devices that can easily be lost or hacked and also contain lots of ePHI have the highest level of risk.
7. Develop a work plan
Current security measures must be increased if they are not adequate to lower the level of risk revealed in the assessment. Practices need to develop a work plan – the document that accompanies the SRA to identify gaps and remediations. For example, the practice may be missing signed agreements from all business associates. The work plan should note the issue and assign the task.
8. Document the findings of the SRA
This step may be the most crucial because HIPAA compliance demands documentation. In the event of an audit, examiners are going to want to see documented proof that the medical practice is actually doing what it claims to be doing.
9. Train employees
Employees are the first line of defense against hackers and cybercriminals. They also pose a large security threat. Employee medical identity theft is one of the largest causes of HIPAA violations. You need to “trust” but “verify” that your employees are not taking data. They must be aware that you are checking on them. You also must train them to recognize phishing attempts, phone scams, follow rules for accessing public Wi-Fi, social media posting, etc. in order to avoid inadvertent breaches.
To develop a proper SRA takes someone who has an understanding of HIPAA, IT, and cybersecurity, and can manage the process. Often, the practice will settle for a staffer who lacks the qualifications, or forgo the SRA altogether and simply answer security questions on a checklist that has been found on the Internet. That is not a proper SRA, and HHS/OCR has said so in writing.
If the practice lacks an experienced employee who can perform the SRA, it should follow the advice of CMS and outsource the project to a qualified HIPAA compliance expert.
Taking the time and devoting the resources needed for a comprehensive risk assessment is the best strategy for defeating data thieves and satisfying auditors. Outsourcing your SRA or your HIPAA compliance needs does not have to be expensive. Nor does it have to be time consuming. External resources are available to help organizations through the confusing maze of HIPAA compliance and regulations. Small practices can achieve HIPAA benchmarks in a cost-effective and time-effective manner, allowing them to concentrate on what matters most: their patients.