What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national...
Transcript of What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national...
![Page 1: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/1.jpg)
Kevin Atkins, CAHIMS
Engagement Manager
HealthPOINT at Dakota State University
What to expect from a HIPAA Security Risk Assessment (SRA)
![Page 2: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/2.jpg)
Objectives
Discuss HIPAA Requirements for a SRA
Define what constitutes a risk
Identify the elements of an SRA
![Page 3: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/3.jpg)
Origins of Security Risk Assessment
HIPAA Security Rule
Proposed in 1998………………..…Enacted in 2003
Mandatory in 2006
45 CFR (Code of Federal Regulations) Part 160
Subparts A & C of Part 164 (164.302 – 318)
Health Information Technology for Economic and Clinical (HITECH) Act
Office for Civil Rights (OCR) responsible for guidance and enforcement
![Page 4: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/4.jpg)
Purpose of Security Rule
Establishes national standards to protect ePHIIncludes Implementation Specifications
Requires Administrative, Physical, Technical safeguards
Ensure confidentiality, integrity, security of ePHI
All ePHI created, received, maintained or transmitted is subject to Security Rule
Requires entities to
Evaluate risks and vulnerabilities
Implement reasonable and appropriate security measures (beef this up little)
![Page 5: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/5.jpg)
HIPAA Requirements
Security Management Process Standard
164.308(a)(1)
Four required Implementation Specifications
164.308(a)(1)(ii)(A)
Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
![Page 6: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/6.jpg)
HIPAA Definitions
Vulnerability
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Threat
The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
Natural (floods, earthquakes, tornadoes)
Human (hacking, unauthorized access)
Environmental (power failure, chemicals, pollution)
![Page 7: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/7.jpg)
HIPAA Definitions
Risk
NIST SP 800-30: “The net mission impact considering (1) the probability that a particular threat will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and (2) the resulting impact of this should occur”.
Arise from legal liability or mission loss due to:
• Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
• Unintentional errors and omissions
• IT disruptions due to natural or man-made disasters
• Failure to exercise due care and diligence in the implementation and operation of the IT system.
![Page 8: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/8.jpg)
HIPAA Definitions
IN OTHER WORDS!!
In order to have a risk you must have
An asset (something of value) AND
A threat (typically something external) OR
A vulnerability (typically something internal)
If any are taken away, there is no risk!
SO
Risk is a function of:
(1)The likelihood of a given threat triggering or exploiting a particular vulnerability
(2)The resulting impact on the organization
![Page 9: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/9.jpg)
Risk-Level Matrix
Sample risk-level matrix
Discussion item:Low level threat – but DEVASTATING impactChart shows low risk. Agree or disagree? Why?
![Page 10: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/10.jpg)
Qualitative vs Quantitative
Quantitative Assessment
Cons: Exhaustive, costly, time-consuming
Pros: Identify greatest risk based on financial impact
Qualitative Assessment
Cons: Subjective, value of loss not quantified
Pros: More common, quicker to complete, focus is on understanding the risk
List different tools available for each (Delphi Technique)
2 or 3 slides
![Page 11: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/11.jpg)
Qualitative & Quantitative tools
Qualitative
Delphi Technique: risk brainstorming – identify, analyze, evaluate risk on individual and anonymous basis.
Structured What-If Technique (SWIFT): team-based approach – uses “What If” considerations.
https://www.project-risk-manager.com/blog/qualitative-risk-techniques/
HealthPOINT: hybrid approach (qualitative on the front end, quantitative on back end; quantitively algorithm can be overridden in final report.
Quantitative
Financial sector, chemical process industry, explosives industry (Wikipedia)
https://en.wikipedia.org/wiki/Quantitative_risk_assessment_software
![Page 12: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/12.jpg)
Elements of a Security Risk AssessmentScope
Includes potential risks and vulnerabilities to the
confidentiality, availability and integrity of ALLePHI that an organization creates, receives, maintains, or transmits. [164.306(a)]
**REMEMBER** ePHI IS more than medical records
Billing information Appointment informationInsurance claims information Reports
What am I forgetting?
![Page 13: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/13.jpg)
Elements of a Security Risk AssessmentData Collection
Create an ePHI Inventory
Must identify (and document) where the ePHI is stored, received, maintained or transmitted.
![Page 14: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/14.jpg)
Where to look for ePHI
![Page 15: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/15.jpg)
Elements of a Security Risk AssessmentIdentify and Document Potential Threats and Vulnerabilities
Identify and document reasonably anticipated threats to ePHI:
Unique to circumstances of environment
If exploited create risk of inappropriate access or disclosure
![Page 16: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/16.jpg)
Elements of a Security Risk AssessmentAssess Current Security Measures
Assess and document security measures used to safeguard ePHI, whether already in place, and if configured and used properly.
Will vary among organizations
Small orgs – fewer variables to deal with
Large orgs – many variables
Workforce
IT systems
Locations
![Page 17: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/17.jpg)
Elements of a Security Risk AssessmentDocument Business Associate Agreements
Business Associates were (are) focus of OCR during Phase II audits
OCR requested specific information
27 data elements
Business Associate Name, type of service, 1st/2nd points of contacts – fname, lname, address, phone, fax, email, etc. etc.
OCR designed sample template – NOT downloadable
Email me for a copy ☺
![Page 18: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/18.jpg)
Elements of a Security Risk AssessmentReport
Final element of a SRA is the report.
Presents/summarizes results
Used to guide/prioritize remediation
Final Report Example
![Page 19: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/19.jpg)
Summary
A Risk Analysis
Designed to aid you in protecting the confidentiality, integrity, and availability of ePHI
May be required for Medicare and Medicaid incentive payment programs (MIPS, Meaningful Use, etc.)
Many methods available (consultant, checklist – (ill advised), online tool, etc.)
ePHI IS more than just the medical record
![Page 20: What to expect from a HIPAA Security Risk …...Purpose of Security Rule Establishes national standards to protect ePHI Includes Implementation Specifications Requires Administrative,](https://reader033.fdocuments.us/reader033/viewer/2022042118/5e97b15e014f6308045ea35b/html5/thumbnails/20.jpg)
The End
Kevin Atkins, CAHIMS
Engagement Manager
HealthPOINT at Dakota State University
(605) 270-1642
THANK YOU