HIPAA requires practices to have formal or informal policies or practices to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Unfortunately, many practices don’t understand how to conduct risk assessments and require assistance.
When the Department of Health and Human Services Office of Civil Rights completed its HIPAA audits of 115 covered entities in 2012, it found that the lack of risk assessments was the most common finding. In addition to risk assessments being a HIPAA requirement, it is also a requirement for receiving meaningful use incentives. This document hopes to simplify the process and de-mystify the process.
Identify all systems that contain, process, or transmit ePHI.
Create a list of the practice’s business associates that creates, receives, maintains or transmits ePHI for a function or activity regulated under HIPAA.
Go through HIPAA’s Privacy, Security and Breach Notification implementation specifications and provide responses that demonstrate and document the practice’s level of compliance. If the practice needs a framework for this portion of the assessment, consider using the OCR HIPAA Audit Protocol as a template. Add additional columns for your practice’s responses, compliance ranking and remediation recommendations.
Develop a rating system for your practice’s level of compliance to the specification. For responses that are less than 100% compliant, develop a remediation for that finding. For specifications that are required but addressable, describe and provide documentation that demonstrates why your practice has chosen not to fully implement this specification and its rationale for doing so.
Conduct a vulnerability analysis on your practice’s system. Vulnerability analysis defines, identifies, and classifies security holes (vulnerabilities) in information systems and networks. These vulnerabilities include improper patch management software to address system security and functionality. Additionally, vulnerability analysis can predict the effectiveness of your practice’s proposed countermeasures and evaluate effectiveness once in place. Develop a remediation plan for addressing prioritized vulnerabilities and an ongoing durable process for identifying and remediating vulnerabilities. This service will probably require an external vendor with experience in this area.
Conduct a penetration test on your practice’s system. Penetration testing is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data. Penetration tests perform both network port/service identification and vulnerability scanning to identify hosts and services that may be targets for future penetration. Develop a remediation plan for addressing prioritized findings and an ongoing durable process for identifying and remediating the holes found from scanning. This service will probably require an external vendor with experience in this area.
Develop a risk assessment report based on the risk assessment. The report should outline your practice’s overall compliance posture and include a remediation strategy for addressing findings that do not completely satisfy the specification. Compliance levels should be divided into five levels, specifically zero, 25%, 50%, 75% and 100%. Stratify the level of compliance by standards.
Develop a durable process for conducting risk assessments. Develop a timeline for planning, executing and completing a risk assessment on an annual basis. Plan on conducting risk assessments on an annual basis, using an external vendor to conduct the risk assessment every third year.
Structure of the report. The report should be structured in the following manner:
o An executive summary with a high level overview of the risk assessment findings.
o A brief description of the organization, including a description of the organization’s activities.
o The name of your organization’s current Privacy and Security Officer.
o A map of the organization’s IT environment that maintains, transfers, receives or processes electronic personal health information.
o A list of systems that maintain, transfer, receive or process electronic protected health information.
o A list of HIPAA controls, the organization’s responses to the controls, whether the responses fully satisfied the controls, the level of compliance, and recommendations for remediation if applicable.
Develop a management action plan to remediate the findings identified in the risk assessment. The plan should include reasonable timelines for completing the remediation.