Security Risk Assessments in Five Steps

By Jared Rhoads

In 2009, as part of the economicstimulus legislation, Congress passed the Health Information Technologyfor Economic and Clinical Health Act (HITECH),which contains a national program to provide incentive payments to eligibleprofessionals and hospitals for the adoption and use of electronic healthrecords (EHRs). Eversince that program went into effect, providers have been trying tofigureout exactly what the criteria are for qualifying for the incentive payments andhow they can satisfy those requirements.

Health IT security has become anincreasingly important matter for health careorganizations, and although the incentive program is not centered onsecurity, it is certainly a keypart of it. Organizationsand eligible professionals are required to conduct a comprehensive securityrisk assessment toprotect all electronic health informationthat is created or maintained by EHRs.

Conducting a security riskassessment is not a trivialeffort. Many organizations don?tdo one on a regular basis, and theymay nothave dedicated security personnel or resources?althoughthey should. This mustchange if organizations are to protect their data and qualifyfor the incentive program.

To begin, consider breaking theassessment process down into five basic steps:

1. Ensure thatyou are using certified EHR technology.

Use of a certified EHR system is abasic requirement for participating in the incentive program. Some currentsecurity-related certification standards include: support for data integritycontrols, audits, emergency access, automatic log-off, event recording (e.g.,for deletion of records),and accounting of disclosures. Data encryption does not yet need to be enabledin all places at all times, but generally it is a good idea to turn on featuressooner rather than later. Remember that the goal is to digitally and physicallysecure the whole environment, not just the certified EHR system.

2. Evaluate the risks.

The ?meaningful-use?(health care providers? use of electronic records to achieve significantimprovements in care?) risk assessment requires acomprehensive evaluation of an organization?s risks and vulnerabilities. Thisincludes internal systems, internal usersand third parties.

When evaluating the likelihood andpotential impact of security threats to internal systems, the assessment teamshould evaluate vulnerabilities associated with the hardware, software, systeminterfaces, networks and devices that are in use.Infrastructure that supports data transmission represents an especially highrisk unless it?smonitored closely to prevent unauthorized use. Interms of scope, the analysis should include electronic protectedhealth information (ePHI)on all media, including hard drives and mobile devices. For networks, considerautomated tools that can scan the hospital?s network and identify specificdevices that present risks. 

Another major source of risk comes from cliniciansand administrative staff. Analysisof user accounts and role-based access rules may reveal excessive orout-of-date user accessrights. Set up processes to investigate these instances and offer role-basedtraining with job-specific scenarios to improve comprehension and retention.Organizations should document all training and retain these records forcompliance.

Business associates also represent a potentialvulnerability that needs to be included in the assessment. Your organizationmight have dozens or hundreds of business associates that it works with forservices ranging from consulting and outsourcing to data backup and datadisposal.Ask your businessassociates to provide adetailed review of the contract terms and perform an audit of currentpractices.

3. Correct deficiencies.

Organizations are required tocorrect identified security deficiencies as part of the risk managementprocess. Unfortunately, CMS has not offered clarification on what qualifies asa deficiency or what type of corrective action is considered adequate. Underthe Health Insurance Portability and Accountability Act(HIPAA),covered entities are held to the standard of doing what is ?reasonable andappropriate.?

When deciding how to address arisk, consider the potential impact of a risk, the cost of mitigating thatrisk, and the extent of in-house technical capabilities. Akey part of addressing risk is knowing what risks areconsidered acceptable.Always document the decisions and rationale for addressing?or not addressing?a potentialrisk.

Outside expertise is availablewhen the necessary skills and capabilities are not present internally. Onegrowing trend is toward the use of security as a service.This can be a smart move for managing virus definition updates and othersecurity administration services.

4) Maintain your technologies and processes.

Security should be a central partof the enterprise strategic plan. Organizations should have a clear schedulefor reassessing vulnerabilities and implementing security updates as needed.The meaningful-userule requires organizations to ?implement security updates as necessary.? Thismeans that processes should be reviewed inaddition to technologies.

A comprehensive security plan also includespolicies and processes on what to do in the event of adverse incidents, such asa network breach. A breach-managementpolicy should describe the response and review stepsthat should be takenby allkey staff members,including IT personnel, senior management and clinicians. Some incidents gounreported for the simple reason that people believe itis someone else?s responsibility.

5) Attest thatthe risk assessment has been completed.

Eligible professionals andhospitals can attestthatthe risk assessment has been completed by usingCMS?s online Registration and Attestation System, which is a simple Yes/No.Note that attestation is legally binding and that any provider who attests maypotentially be subject to an audit. Retain documentation about the riskanalysis and findings, as well as anycorrections that were instituted.

Audits andregulations may offer some motivation and guidance on how to secure protectedhealth information, but the deeper reason whyorganizations should address privacy and security comprehensively is because itis the right thing to do for patients.

Jared Rhoads is a senior researchspecialist with the Global Institute for Emerging Healthcare Practices, theapplied research arm of CSC?s Healthcare Group. More information on achieving comprehensivehealth IT privacy and security can be found here: http://www.csc.com/health_services/insights/69994-achieving_comprehensive_health_it_privacy_and_security.