Healthcare providers across the United States have the incredible opportunity – and responsibility – to help deliver improved patient outcomes, and ultimately elevate public health. Although healthcare professionals touch lives every day, they are also subject to some of the most stringent regulatory hurdles in the country. Because they have access to highly sensitive protected health information (PHI), they are expected to operate with a high level of organizational security and best practices when it comes to securely storing patient data.
In order to protect that data from malicious actors or accidental exposures, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that critical businesses, such as healthcare companies, must conduct extensive risk assessments to ensure their environments – both digital and physical – are secure. If you don’t allocate as much time and as many resources into creating a secure environment for patient data as you do your care strategies, your organization may be subject to uncomfortable audits and subsequent fines from the Office for Civil Rights.
There is good news – there are best practices and insights available to help you and other healthcare providers operate with high confidence in your security, privacy, and HIPAA compliance practices.
The Security Risk Assessment (SRA)
Despite the fact that there is no one-size-fits-all approach to properly managing your organizational risk, government regulators such as HHS and the Office for Civil Rights believe that quality risk analysis is the first step in remaining compliant with government laws to protect patient information.
According to the U.S. Department of Health and Human Services, “All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule,” meaning that physicians must use appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of this information.
As a healthcare provider, there are several fundamental questions that ought to inform every annual Security Risk Assessment.
#1 How Often Do You Review and Update Your SRA?
In ClearDATA’s capacity as a healthcare cloud security company, we have observed clients that review their SRAs quarterly, annually, or even with years’ gap SRAs. It’s important to keep in mind that even though there is not a single approach that can best serve every healthcare provider, we typically recommend that healthcare providers review their SRAs at least every 6-12 months.
In addition to reviewing your organization’s SRA based on a pre-determined amount of time, many healthcare providers benefit from reviewing their SRA in response to operational changes and/or security incidents. Of course, it’s advisable to review your SRA before a negative incident occurs; but reviewing your existing tactics, techniques, and procedures after a cyber incident can be a valuable step in your team’s debrief to ensure no repeat security failures.
#2 What Systems Are Included in Your SRA?
As part of your SRA, do you include all information systems containing, process, and/or transmitting ePHI? ClearDATA recommends including all relevant information systems because it is remarkably difficult to protect your data if you aren’t even sure where it’s being transmitted.
All healthcare providers should maintain a complete and accurate PHI inventory of every known and officially managed IT asset in your organization – establishing optimal security controls. Many inventories of healthcare provider IT assets can be recorded and updated using a well-designed, digitally stored spreadsheet.
#3 Your SRA Documentation
What goes into your SRA documentation? We recommend that it includes possible threats and vulnerabilities, which have been assigned possible impact and probability ratings. Based on these ratings, organizations can determine potential severity of risks and prioritize healthcare risk management accordingly.
For example, some choose to establish a data classification policy that categorizes data as: Sensitive, Internal Use, or Public Use. Once you have determined these classifications, you can organize data accordingly. Organizational policies should address all user interactions with sensitive data and make expressly clear the consequences if lost or compromised. After all, human error is one of the leading causes of cybersecurity events. IT asset management is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization, including medical device management.
#4 Designating the Security Officer
Fourth, once your security policies are established and you have closely reviewed existing data, the next step is to confirm the teams and/or individuals responsible for developing and implementing information security policies and procedures. In many instances, this responsibility is assigned to the CIO or CISO, who operates as the security officer, and is a member of the workforce identified by name in policy documents.
As organizations grow, employees may interact across the organization less and may not be familiar with who is responsible for the security of the data they use every day. ClearDATA recommends healthcare providers take the time to introduce the CIO or CISO – and their responsibilities as the security officer – to the organization as a whole.
Go Beyond the Basics
Security Risk Assessments are a critical best practice – and a HIPAA regulatory requirement – for healthcare providers. If you’ve read about the preliminary questions that should inform your organization’s SRA and want to discuss the specifics of managing the security of your organization, be sure to review our next blog – Peeling Back The Onion: A Deeper Dive on Provider SRAs or schedule a consultation with ClearDATA’s HIPAA and SRA experts.