Elements fo the Security Risk Assessment Explained
HIPAA compliance is an intimidating and overwhelming task, process, or regulation. However you want to look at it. It always helps to have guidance when ensuring that your practice does not fall victim to a fatal HIPAA audit or data breach. In this article, I will outline the different sections of the Security Risk Assessment Tool released by Health and Human Services (HHS). There are other tools from private companies that can be used. The covered entity (medical practice) must be diligent in making sure that the assessment they are using covers all of the same material that the HHS tool covers. The only other public tool offered to perform an annual risk assessment is the one offered by NIST (National Institute of Standards and Technology).
Security Risk Assessment Basics - Section 1
The first section of the Security Risk Assessment (SRA) covers the basic elements of risk. There are three points covered in this section. The first point to evaluate is how business and security remediation is handled after an incident occurs. Well, what is an incident exactly? An incident is an event that takes place that may disrupt business in any way. This can be anything from a power outage to a full-blown ransomware attack. Every practice needs ‘staples’ for remediation such as processes, policies, and backups. The SRA Basics section focuses on how the documentation of remediation is handled. The documentation needs to be available to all employees and regularly updated. It’s very important to practice drills regularly. Just like we used to practice fire drills in school. The second point that is going to be evaluated in the SRA is the tracking of technological assets. The SRA tool has an excel spreadsheet template that can be used with information such as type of device, location of device, device owner, whether the device is active, and if the device is inactive, how was is it sanitized, or destroyed. Most IT companies do this for their practices, just make sure the right information is being collected. The third point that is going to be evaluated in the basics section of the SRA regards the documentation of workforce security. It is important to know who has access to the building when, what data do they have access to -physical or electronic-, and how the security processes are handled. Recording employee security training is also a mandated part of this evaluation.
Security Policies - Section 2
The second section of the SRA is all about documentation. Wait… wasn’t that in the last section? This is true. The first section was about what kind of documentation was needed. This section pertains to how the documents are used and maintained. Document retention is important to consider because if all the documents on hand are outdated, they don’t do you or your practice any good. It is important to ensure that all documentation about security and HIPAA compliance is updated annually, at least. A big mistake a lot of practices make is spending a lot of money to have documents created for them and then filing them away, never to be seen again. But you have them. Right? The SRA evaluates how the documents are being used. If documents regarding security and HIPAA compliance are not being regularly reviewed, updated, and practiced then they are again basically useless. Every employee, staff member, and even some contractors should have access to and training on all of the policy and procedure documentation.
Security and The Workforce - Section 3
The third section evaluates how security is being communicated, taught, and handled by the workforce. The workforce refers to anyone who has a part in making the business operate. Not just medical staff. Even the janitorial staff for the building you rent office space in has some level of access to your PHI. Every practice needs a security officer, much like they need a compliance officer. For smaller practices, this may be the same person. It is the security officer’s job to coordinate all of the security-related activities that go on in the practice. This includes the annual security training mandated by HIPAA in the Security Rule. Like the assessment tools, ensure that the training meets the purposes of the Security Rule before purchasing a course or package. This section will also evaluate how trust in the workforce is measured as well as how the members of the workforce are accountable for maintaining a secure work environment. Trustworthiness is measured by the performance of background checks, calling references, or promoting internally. Just like with everything HIPAA-related, document all of this.
Automate your SRA!
Zekteck's Compliance and Security Platform will automate the entire SRA generation process using an algorithm developed in house derived from the SRA Tool provided by Health and Human Services.Learn More
Security and Data - Section 4
HIPAA compliance rules are starting to show a major theme… documentation. The fourth section of the SRA evaluates how PHI is accessed, stored, and logged. Each staff member’s access to PHI need to be managed in some way and documented to be referenced at any given time. There are many access management tools on the market, most are very expensive and flashy. The most important thing to remember when assigning access to staff members is DO NOT MIRROR access. Mirroring access means you give a new person the same access as someone who has already had access for a while. At first, it seems like a great idea. The new staff member will have access to everything they need for their job. It becomes a problem when that person starts to perform tasks that are using access they shouldn’t have. While most breaches imply malicious intent, many data and HIPAA breaches are the result of someone making a mistake. Another way to ensure the protection of your data is to encrypt it. There are two stages in which data exists, at rest and in transit. Ensure that data is encrypted while it is at rest (being stored) and while it is in transit (being sent). Every good EMR/EHR has a patient portal that encrypts messages about their care or test results. It is important that PHI or ePHI is never emailed unless it can be 100% verified that it is encrypted. Of course, all the encryption at rest, transit, and access need to be logged. Who is accessing what data when and for what purpose? what is happening to your data could be the difference between an elegantly recovered breach or going out of business.
Security and The Practice - Section 5
The fifth section focuses on the physical nature of security. Your practice will be evaluated on whether there are security systems and cameras installed. How employees and patients come on and off the premises. Even what kind of locks are being used. While this seems like the easiest most intuitive part of the security assessment, it is surprising how many practices don’t even know who has keys to the office. Here is an anecdotal story to press the importance of understanding physical security. A wife is a physician at a major hospital. She forgets her hospital badge at home, but no big deal. Everyone knows her and she gets on the floor just fine. She calls her husband to see if he can drop off her badge. The husband is happy to! He uses her badge to access the hospital, even parts that are off-limits to the public, to get her access card to her. While no harm was done, imagine if something was to happen. All of the logs would show that her access card was the one that opened the doors when the husband came in, and there would be no record of her being on the premises when she arrived. Maybe nothing bad happened to the data, but what if there was a fire, and everyone had to evacuate before the husband could bring her card and they used card scan logs to take attendance of who made it out of the building. No one would know if she had made it out because the logs indicate she wasn’t there yet. The same mentality pertains to access to devices. Only the appropriate personnel should have access to specific devices both electronically and physically. What do you do with a device that is no longer being used? The first thought is usually to put it in storage, just in case. Or maybe to just drop it in a nearby dumpster. How is anyone going to get it out of a giant dumpster? Hackers are amazingly okay with dumpster diving if the data is valuable enough. In the SRA, your ability to sanitize data (destroy old devices) will be evaluated. Several private companies offer this service.
Security and Business Associates - Section 6
The sixth section is all about business associates. What is a business associate? A business associate is one of the most overlooked aspects of HIPAA compliance. A vendor or contractor has access to PHI, physically or electronically. Our minds immediately go to vendors we may use that work on IT, Medical devices, or contract staff. They have high levels of access, and it needs to be monitored. Some forgotten vendors that also need access management are janitorial, maintenance vendors, and even vendors that bring supplies to the office. If the water cooler is next to the server room, then the water delivery person should be monitored while changing out the water jug. It’s also important that vendor activities should be logged with the following data:
- Time arrived on site
- Work to be completed while on site
- Work that was completed while on site
- Time the vendor left the facility
It’s also required that every vendor that performs work with the practice has a Business Associate Agreement (BAA). The agreement is a contract that transfers liability the liability of a breach to the vendor. When a vendor signs a BAA, they are accepting the responsibility of keeping PHI and ePHI protected as if they were also an employee of the practice. Vendors that aren’t regularly seen at the office but still provide services requiring a BAA are software companies like Microsoft, Google, and Fax vendors. While some of the tech giants like Microsoft have an umbrella BAA on their website and in their terms and agreements, you must keep that document on file.
Contingency Planning - Section 7
The seventh section evaluates the level of contingency planning taking place at your practice. Contingency planning is when there is a plan in place for when all else fails. As discussed earlier, the contingency plan should cover anything from a power outage to a full-on malware attack. Contingency planning is not just the process of documenting what to do in case of an emergency, but the whole process that produces that document and then uses that document to produce a safe workplace. When contingency planning, it is important to identify what the likelihood of several risks are. If you live in Kansas, it is not likely that a hurricane will affect your business, but a tornado might. Be ready for what makes the most sense for your practice. Another matter to weigh when contingency planning is cost-benefit analysis. If replacing a stolen laptop that can be wiped remotely is cheaper than trying to retrieve the original laptop, those options should be considered. Once these documents have been created, it is important to practice them. There are three methods of practicing that should take place. Vocal walkthroughs, where the participants read through the various steps in a contingency plan. This should take place quarterly. Physical walkthroughs, where they imitate performing the steps in the plan, which should take place semi-annually. And full performance practice runs, where the entire system is taken offline and brought back up as if a real event was to take place. This should be completed annually. The goals of a contingency plan are to prevent any events from happening to the best of your ability, have a method of detecting when an event takes place, and respond to an event most efficiently and effectively as possible. Also remember, back up everything always.
This page is not be used as an official HIPAA Compliance Checklist*