A wide-open Wi-Fi network.
Water dripping from a faucet next to a file server containing PHI.
Server backups that have not been verified or checked in years.
An unknown number of master keys for an entire hospital exist in the community.
These are just a few of the risks identified during Security Risk Analyses (SRAs) that our HIPAAtrek consulting team has completed over the years.
You probably know that a Security Risk Analysis is a requirement of HIPAA—but if you’re unclear about what exactly an SRA entails, or how often they should be performed, you’re not alone. And, since the Office for Civil Rights (OCR) has an entire department dedicated to reviewing SRAs, this is one area in which knowing the requirements is critical.
If you’re looking to identify risks to patient data, avoid citations for an incomplete SRA, and keep your organization compliant, keep reading. Today I’m sharing all the details about SRAs you truly need to know, as a consultant who has completed SRAs for numerous covered entities.
What do the HIPAA Regulations Say About Security Risk Assessments?
A complete and thorough SRA, preferably performed by a third-party, is a requirement of the HIPAA regulations. Specifically, the SRA requirement states that a covered entity must
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
(45 CFR § 164.308)
While that may seem like a vague or confusing statement, we do know that less than 5% of SRAs pass muster when reviewed by the OCR. In fact, the lack of a complete SRA is the most common citation under HIPAA. So, it’s clear that there is a misalignment between what many healthcare organizations see as a complete SRA, and what the OCR approves of.
Ultimately, the SRA is more than just an item to check off your HIPAA checklist—it is foundational to your HIPAA security program, and even your broader HIPAA compliance. The SRA identifies risks to PHI that are specific to your organization—like that leaky faucet I mentioned earlier.
(That’s why so many questionnaires or other self-assessment tools fall short, because they simply can’t be specific enough to your organizational needs.)
So, what does a complete and thorough SRA look like? It is more than going through a questionnaire in an Excel spreadsheet or having someone do a penetration test. It involves more than your IT team and it should use the principles of Risk Management. Far too often I see incomplete SRAs being done, so let’s start there.
What Makes an SRA Incomplete Under HIPAA?
Before we can dive into what makes an SRA complete, we should address a few common examples that do not constitute a complete SRA. The most common examples of incomplete SRAs I have seen include:
- A Self-Assessment Questionnaire
- Penetration Testing
- The ONC Security Risk Assessment Tool (that’s right—they even warn on the website that this tool does not constitute a compliant SRA)
- Massive Checklists or Spreadsheets of Questions
Some Security Officers say their method of meeting the HIPAA SRA requirement is to have someone perform a penetration test periodically. That certainly assesses some of the technical controls you have in place, but only scratches the surface of the SRA.
Another thing that I see far too often is what I like to call The Massive Checklist: a consultant says they will perform an SRA and follows it up with a gigantic spreadsheet or list of questions that need to be filled out. One that I saw had over 600 questions in it for the security officer to respond to! (Yikes.)
Of course, there are many questions I ask as a part of an SRA, but a more appropriate process relies on the expertise and experience of the consultant. For instance, when I conduct an SRA, I review security policies first and then perform a series of tailored interviews, asking how controls and policies are implemented at the Covered Entity.
Experience this SRA process firsthand by working with HIPAAtrek to complete your SRA. Learn more and request more information here.
There are plenty of spreadsheets and lists with hundreds of questions available for download, but you can’t download expertise—or specificity to your organization. Ultimately, a questionnaire simply can’t complete a SRA.
There are plenty of spreadsheets and lists with hundreds of questions available for download, but you can’t download expertise—or specificity to your organization. Ultimately, a questionnaire simply can’t complete a SRA.
What does a Complete and Thorough SRA include?
Now that you know what an SRA is not, we can dig into what a complete and thorough SRA should entail. The SRA really should be a complete risk analysis. This does, of course, include vulnerability scans of your IT systems, but it is so much more than that!
During a complete SRA, someone who has experience performing SRAs in healthcare settings should visit your facility for an in-person walk through and, preferably, an unannounced attempt to access areas that should be secure.
A complete and thorough SRA needs to include:
- Analysis of physical and environmental risks to PHI,
- Facility walkthrough looking for security risks,
- Departmental walkthroughs, ideally unannounced, looking for exposed PHI, security risks, workstation risks, and other vulnerabilities,
- An evaluation of key and door lock management,
- An evaluation of technical controls,
- Internal and External Vulnerability Scanning,
- Review of policies and procedures that are in place for ensuring compliance with the HIPAA Security Rule, and
- A prioritized report detailing the findings and providing recommendations.
There is so much to an SRA, and it is more than can be completed by a checklist or a penetration test.
The key to ensuring your SRA is complete and thorough is to think beyond the regulatory requirement and instead consider how the SRA can help you truly identify organizational risks and areas for improvement.
Your SRA is an opportunity to review and analyze your administrative, physical, and technical controls across the board—a vulnerability scan or penetration test doesn’t assess how you disable accounts upon termination of employment, or any risks posed by your network closets. (Boy, can I tell stories about what I have seen there.)
The key to ensuring your SRA is complete and thorough is to think beyond the regulatory requirement and instead consider how the SRA can help you truly identify organizational risks.
Should Your Security Risk Analysis Be Completed by an External Consultant?
As I stated above, it is preferable to have an external consultant complete your SRA. When you attempt to identify your own organizational risks to PHI, you may have blind spots you’re not even aware of.
That’s why it is not appropriate to complete the Security Risk Analysis internally. As you look to identify risks to PHI, it is easy to miss things you’ve grown used to over time, see as “the way we’ve always done it,” or even just don’t visually see in your day-to-day walkabouts.
When you have an external consultant come in, we can look in places you don’t usually look (both virtually and physically), ask tough questions you may not feel comfortable asking your team, and interrogate the systems you’ve grown accustomed to or potentially overlooked entirely.
In short, if you are completing an SRA in order to truly identify and mitigate organizational risks, it is only appropriate to do so with an external consultant.
In short, if you are completing an SRA in order to truly identify and mitigate organizational risks, it is only appropriate to do so with an external consultant.
When Should You Complete an SRA?
Under the HIPAA security rule, you know you need to complete an SRA—but how often is it required? Again, mindset matters here. You can’t just see the SRA as something to check off your list and move on. Instead, it is a critical and ongoing assessment process to help you identify new risks to PHI.
So, how often is the SRA required? You should aim to complete an SRA at least every other year.
Why do I say at least? That’s because situations often come up that would introduce new potential risks and may require a new SRA to be completed to identify them. Consider significant changes like switching EMRs or moving to a new physical space.
If you think of your SRA as a holistic risk management practice, it makes sense that these moments of significant changes would trigger an SRA, in addition to your regularly scheduled cycle.
Fulfilling Your SRA Requirement Under HIPAA
The SRA is the foundation of your security program and for HIPAA compliance confidence. As such, it is critical to see this as more than a requirement of HIPAA, but instead as your action plan to achieving HIPAA compliance.
By understanding what is included in a ” thorough and complete” Security Risk Analysis under HIPAA, you can move forward confidently with completing this important assessment.
Avoid the questionnaire salesmen, the free printable tools, and the tendency toward complacency, and you can truly identify specific and actionable threats to PHI across your organization.
And once that SRA is complete, your job isn’t done—it’s time to mitigate all those risks, too—but we can save that for another blog post!
Ready to Book Your SRA with HIPAAtrek?
Learn more about our consulting team and options for working together here:
