Risk Assessment Help on the WayFree App Designed to Make the Job Easier
The basis of any good information security plan is doing a thorough and timely risk analysis. Unfortunately that's something that's often done poorly or skipped over by healthcare organizations, especially smaller ones. But help is on the way from federal regulators.
See Also: Creating a Culture of Security
The Department of Health and Human Services soon will unveil a free risk assessment tool for smaller providers that helps with documentation as well.
Risk analyses that are being performed are immature. ... They need to move to a more mature process that's consistent and repeatable.
HHS' Office of the National Coordinator for Health IT, which oversees policies and standards for the HITECH Act electronic health records financial incentive program, has been working with its sister HHS agency, the Office for Civil Rights, which enforces HIPAA, in creating the new downloadable risk assessment app that's expected to be available within the next few weeks. Watch for the tool on the privacy and security resources page of ONC's website.
The tool, which was demonstrated at the recent 2014 HIMSS Conference, will work on Windows-based devices, but is also ONC's first application for the iPad, says Laura Rosas, a senior adviser at ONC.
This new resource walks organizations through the risk assessment process, providing guidance on how to determine where electronic protected health information is located and how to identity security threats and vulnerabilities. Underlined terms bring the user to a glossary for definitions, and the tool "can help determine the likelihood and impact of risks," says Joy Pritts, ONC's chief privacy officer. "The tool helps you become compliant, and gives you a score" of how you're doing in your compliance efforts, she says.
Based on the sneak peek ONC provided, I think the most helpful feature of the tool is its ability to create a report that can be used as risk analysis documentation if the organization is ever audited or investigated by HHS. The report can be printed out at any time during the assessment, and it's produced in the order of the HIPAA Security Rule, Rosas says.
That documentation, which can be exported as an Excel spreadsheet or PDF, is especially important because OCR is expected to soon resume its HIPAA compliance audits.
OCR's pilot audit program in 2012 found that risk assessments were a weak spot for healthcare entities of all types and sizes, but especially smaller organizations.
Regulatory Watch Dogs
Healthcare organizations also need to conduct a HIPAA security risk assessment if they're attesting to meeting meaningful use requirements of the HITECH EHR incentive program. HHS is scrutinizing these attestations through audits. Additionally, OCR will routinely check the status of an organization's risk analysis when the agency investigates a breach that's been reported.
OCR can smack organizations with penalties ranging up to $1.5 million for every HIPAA violation, and HHS can also attempt to claw back HITECH incentive payments that were gained through false attestations.
"From a compliance standpoint, risk assessment is addressed in almost every regulatory requirement we have, whether it's HIPAA and HITECH, meaningful use or Federal Information Security Management Act, accountable care organizations or National Institutes of Health grant activities," says security expert Mac McMillan, CEO of consulting firm CynergisTek..
But beyond meeting regulatory requirements, a risk analysis is the foundation for protecting data, he says.
"Risk assessments better inform us of where the risks are in our environment and helps us do a better job in securing patient information," McMillan says.
Analysis of the new 2014 Healthcare Information Security Today survey of senior executives from about 200 healthcare entities shows some signs of apparent progress on risk assessments.
The survey shows that three-quarters of respondents conducted a risk assessment in 2013, compared with last year's survey, which found that only two-thirds of entities had conducted an assessment within the past year.
In a panel discussion at a free webinar offering an analysis of the survey results, Bob Chaput, CEO at Clearwater Compliance, a HIPAA consultancy, argues that, based on his experience, many organizations that say they've conducted a thorough risk assessment actually have not. "People are doing control reviews," he says. "Risk analyses that are being performed are immature. ... They need to move to a more mature process that's consistent and repeatable."
But privacy and security expert Kate Borten, principal of consulting firm The Marblehead Group, tells me: "I am seeing certain covered entities stepping up their risk assessments. In many cases, it's directly related to applying for meaningful use incentive payments."
Whatever the motivation is for healthcare entities - big or small - to conduct a risk analysis, one critical thing to remember is this: It's not sufficient to just perform a risk assessment and document the findings.
"You also have to mitigate the risks you've identified," and document those as well, Pritts stresses.