Security Risk Assessments in Five Steps
By Jared Rhoads
In 2009, as part of the economic stimulus legislation, Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH), which contains a national program to provide incentive payments to eligible professionals and hospitals for the adoption and use of electronic health records (EHRs). Ever since that program went into effect, providers have been trying to figure out exactly what the criteria are for qualifying for the incentive payments and how they can satisfy those requirements.
Health IT security has become an increasingly important matter for health care organizations, and although the incentive program is not centered onsecurity, it is certainly a key part of it. Organizations and eligible professionals are required to conduct a comprehensive security risk assessment to protect all electronic health information that is created or maintained by EHRs.
Conducting a security risk assessment is not a trivial effort. Many organizations don’t do one on a regular basis, and they may not have dedicated security personnel or resources—although they should. This must change if organizations are to protect their data and qualify for the incentive program.
To begin, consider breaking the assessment process down into five basic steps:
1. Ensure that you are using certified EHR technology.
Use of a certified EHR system is a basic requirement for participating in the incentive program. Some current security-related certification standards include: support for data integrity controls, audits, emergency access, automatic log-off, event recording (e.g., for deletion of records), and accounting of disclosures. Data encryption does not yet need to be enabled in all places at all times, but generally it is a good idea to turn on features sooner rather than later. Remember that the goal is to digitally and physically secure the whole environment, not just the certified EHR system.
2. Evaluate the risks.
The “meaningful-use” (health care providers’ use of electronic records to achieve significant improvements in care”) risk assessment requires a comprehensive evaluation of an organization’s risks and vulnerabilities. This includes internal systems, internal users and third parties.
When evaluating the likelihood and potential impact of security threats to internal systems, the assessment team should evaluate vulnerabilities associated with the hardware, software, system interfaces, networks and devices that are in use. Infrastructure that supports data transmission represents an especially high risk unless it’s monitored closely to prevent unauthorized use. In terms of scope, the analysis should include electronic protected health information (ePHI) on all media, including hard drives and mobile devices. For networks, consider automated tools that can scan the hospital’s network and identify specific devices that present risks.
Another major source of risk comes from clinicians and administrative staff. Analysis of user accounts and role-based access rules may reveal excessive or out-of-date user access rights. Set up processes to investigate these instances and offer role-based training with job-specific scenarios to improve comprehension and retention. Organizations should document all training and retain these records for compliance.
Business associates also represent a potential vulnerability that needs to be included in the assessment. Your organization might have dozens or hundreds of business associates that it works with for services ranging from consulting and outsourcing to data backup and data disposal. Ask your business associates to provide a detailed review of the contract terms and perform an audit of current practices.
3. Correct deficiencies.
Organizations are required to correct identified security deficiencies as part of the risk management process. Unfortunately, CMS has not offered clarification on what qualifies as a deficiency or what type of corrective action is considered adequate. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are held to the standard of doing what is “reasonable and appropriate.”
When deciding how to address a
risk, consider the potential impact of a risk, the cost of mitigating that
risk, and the extent of in-house technical capabilities. A
key part of addressing risk is knowing what risks are
Always document the decisions and rationale for addressing—or not addressing—a potential
Outside expertise is available when the necessary skills and capabilities are not present internally. One growing trend is toward the use of security as a service. This can be a smart move for managing virus definition updates and other security administration services.
4) Maintain your technologies and processes.
Security should be a central part of the enterprise strategic plan. Organizations should have a clear schedule for reassessing vulnerabilities and implementing security updates as needed. The meaningful-use rule requires organizations to “implement security updates as necessary.” This means that processes should be reviewed in addition to technologies.
A comprehensive security plan also includes
policies and processes on what to do in the event of adverse incidents, such as
a network breach. A breach-management
policy should describe the response and review steps
that should be taken
key staff members,
including IT personnel, senior management and clinicians. Some incidents go
unreported for the simple reason that people believe it
is someone else’s responsibility.
5) Attest that the risk assessment has been completed.
Eligible professionals and hospitals can attest that the risk assessment has been completed by using CMS’s online Registration and Attestation System, which is a simple Yes/No. Note that attestation is legally binding and that any provider who attests may potentially be subject to an audit. Retain documentation about the risk analysis and findings, as well as anycorrections that were instituted.
Audits and regulations may offer some motivation and guidance on how to secure protected health information, but the deeper reason why organizations should address privacy and security comprehensively is because it is the right thing to do for patients.
Jared Rhoads is a senior research specialist with the Global Institute for Emerging Healthcare Practices, the applied research arm of CSC’s Healthcare Group. More information on achieving comprehensive health IT privacy and security can be found here: http://www.csc.com/health_services/insights/69994-achieving_comprehensive_health_it_privacy_and_security.