It’s not too late to conduct your 2019 security risk analysis! Why is this important?
- The security risk analysis is critical to making sure your organization’s security practices comply with the requirements in the HIPAA Security Rule.
- If you’re participating in the Medicare Promoting Interoperability Program, you must complete a risk analysis by the end of 2019. Learn more about the program here.
This SRA series will cover 8 steps designed to help you identify, prioritize, and address risks to your data. Throughout this series, we’ll give examples of how you can organize your SRA and prepare yourself to strengthen your security posture.
This blog post will guide you through steps 1 and 2 of the security risk analysis: defining the scope of the analysis and gathering information.
- Security risk analysis. According to 164.308(a)(1)(ii)(A), an SRA is an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
- ePHI. Electronic protected health information (ePHI) is personally identifiable health information that is transmitted by electronic media or maintained in electronic media.
1. Define the Scope
The first step of your SRA is to define the scope of the analysis. Define the following:
- Reason for the SRA. Is it a routine assessment (for example, a yearly analysis)? Is it in response to a security incident (for example, a phishing attack)? Or has your organization adopted a new technology, prompting you to reevaluate your security (for example, a new electronic health record system)?
- Location(s) to include in the SRA. Will you assess the entire organization or a specific location? A location could include technical environments, such as a cloud environment or EHR/EMR system. Or a location could be a physical facility, department, or server room.
- Technology to include in the SRA. Will you assess hardware, software, and/or other electronic media? For example, you could include employees’ workstations, the software installed on those workstations, or both. Or you could evaluate portable devices, such as laptops and flash drives.
- Additional evaluations. What other evaluations, both technical and nontechnical, will you include in the analysis? Having a thorough checklist will prepare you for step 2 (contact us if you would like a checklist).
2. Gather Information
Next, based on the scope of the analysis that you just defined, gather all relevant information:
Identify the conditions under which ePHI is created, received, maintained, or transmitted.
- Where is patient data entered into your systems (for example, an EMR system)?
- Which channels does ePHI pass through (for example, secure email)?
- Where is it stored (for example, in the cloud)?
- Do employees follow security procedures for how to handle ePHI? Keep in mind that employee error or non-compliance to security protocols causes more than half of all reported breaches.
Identify remote workers/telecommuters and portable computing devices.
- Do you allow employees to take laptops, external hard drives, and other portable devices home? Gather a list of employees who are approved for remote work. If your organization uses a check-out/check-in log for portable devices, gather this data for your risk analysis.
- Does your organization allow employees to use their personal devices to access or transmit ePHI? If so, do you have a BYOD policy?
Use staff surveys/questionnaires and a facility walk-thru to gather information.
- How well do your employees know your security policies and procedures, and are they following them?
- Staff surveys or questionnaires give you a more accurate picture of daily operations, which will help you address deficiencies in your HIPAA security training.
- If you choose not to include staff input, document the reason why.
4-Step Example of How We Gather Information for a Security Risk Analysis
Our HIPAA experts use the following 4-step approach to analyze an organization’s security posture:
- Walk-thru of all locations. We gain access to all departments and offices within your facilities so we can develop a thorough and accurate assessment.
- Technical inventory review. We examine all your hardware and software. We also use your Application and Data Criticality Analysis if you have one (this is a Security Rule requirement). If you don’t have one, we’ll work with your technical and legal teams to create one.
- Employee interviews. This helps us to see how well employees understand and follow security procedures. This is a non-intrusive, 5-question interview that only takes a few minutes.
- Technical scan. We use RapidFire tools to scan your technical assets. We also examine your hosting environments and backup processes. (More on vulnerability scanning in the next blog post.)
To learn about our SRA service and methodology, contact us at firstname.lastname@example.org.
Stay tuned for next week’s blog post, which will cover steps 3 and 4: identifying potential vulnerabilities and realistic threats.