This blog outlines key components to a successful HIPAA Security Risk Assessment, not only a vital part of any IT program strategy, but to be compliant with HIPAA/HITECH Rules that went into effect February 2010 and for Centers for Medicare and Medicaid (CMS) Meaningful Use Stage 1 attestation.

Thinking of the possible operational and financial enormity of the task can be an intimidating factor to any CIO, CFO or CEO. Certainly procrastination is not an effective strategy. As probability will have it, the likelihood of a virus attack or a breach will only increase with time as one wonders what to do first.

Step 1: Inventory

One of the first things to consider is completing an inventory of all carriers of electronic protected health information or ePHI within your enterprise. What applications, what storage devices, what databases, what networks? Essentially, where is your ePHI created, received, maintained and transmitted? If you are currently engaged in an ICD-10 Assessment and Plan, this would be a perfect time to take note as you identify carriers of ICD-9 codes for remediation, most likely they are associated with ePHI information. Once the inventory is complete, you need to document the criticality of each of these carriers.

Step 2: Establish Controls

Next you need to consider the security controls that are or are not in place. One way to ensure a thorough audit can be completed is to employ the standard published by the National Institute of Standards and Technology (NIST). NIST has been involved in Health Information Technology (HIT) research since 1994 and, through the American Recovery and Reinvestment Act (ARRA) of 2009, is playing a major role in accelerating the development and harmonization of standards and developing conformance test tools for HIT. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR 160, 162, and 164) establishes national standards to protect individuals’ ePHI that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

Step 3: Assess Risk

Your next task will be to develop a risk determinant. This will include completing an identification of the threats (external, that carry an associated likelihood) to the enterprise environment and vulnerabilities (internal, static, but may be minimized) within the infrastructure, hence describing the associated risks.

Step 4: Assign Impact Value

Finally, with each associated risk, you will want to describe the associated impact and severity to the enterprise. Your Security Risk Assessment will be complete, however, your next task will be to develop a risk remediation plan.

Completing a Security Risk Assessment may seem like a daunting task. However, the crisis response to a virus attack or breach would be far worse and much more costly to the organization on a number of fronts. Engaging a trusted advisor, like Santa Rosa Consulting to assist your team can provide the clear, unbiased expertise and perspective that will help your organization in its ePHI security resiliency program.

William Oravecz
Strategic Advisory Services
williamoravecz@santarosaconsulting.com