HHS Updates Security Risk Assessment ToolBut Why Is Conducting a Risk Analysis So Challenging for So Many Organizations?
The Department of Health and Human Services has updated its HIPAA security risk assessment tool to better assist small and mid-sized healthcare entities and their vendors in performing a comprehensive risk analysis.
Failure to conduct a risk assessment has been a weakness repeatedly identified in HHS breach investigations involving organizations of all sizes, including in the recent $16 million HIPAA settlement with Anthem (see Anthem Mega Breach: Record $16 Million HIPAA Settlement).
The enhanced SRA tool - a collaborative offering by HHS' Office of the National Coordinator for Health IT and the Office for Civil Rights - is designed to help covered entities with 10 or fewer healthcare providers - as well as their business associates - identify risks and vulnerabilities to electronic protected health information.
"The updated tool provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI," the agencies note in a statement.
"While the target audience is supposed to be 'practice managers,' I seriously doubt that the average practice manager could complete the questions by themselves."
—Tom Walsh, tw-Security
New features of the tool include:
- Enhanced user interface;
- Modular workflow with question branching logic;
- Custom assessment logic;
- Progress tracker;
- Improved threats and vulnerabilities ratings;
- Detailed reports;
- Functionality for tracking business associates and assets.
"The new SRA tool is a vast improvement over the previous versions," says Tom Walsh, president of consulting firm tw-Security. But even the updated version has its limitations, he argues.
"While the target audience is supposed to be 'practice managers,' I seriously doubt that the average practice manager could complete the questions by themselves," he says. "They would likely have to work on it with their IT person present to help them answer the questions."
And Walsh also questions whether IT support staff would have enough understanding of HIPAA or information security to answer the questions. "For example, most IT techs working with clinics or physician practices would not know what 'NIST SP 800-88' means or the requirements of the HIPAA rules."
Indeed, conducting a security risk assessment has been an ongoing challenge for many healthcare organizations.
"Risk analysis and risk management is the basis of a HIPAA compliance program," says independent attorney Paul Hales. Findings of OCR's HIPAA compliance audits "indicate failure to perform a risk analysis ... is at the heart of our national health privacy information crisis, with more than 177 million Americans affected by a breach of their PHI since record-keeping began in September 2009," he says.
The topic of risk assessment sounds daunting to many organizations, both large and small, says Kate Borten, president of the security and privacy consultancy The Marblehead Group. "Some government agencies may have dedicated teams who live and breathe risk assessment, but it's like a foreign language to many CEs and BAs," she says.
"I encourage every organization's security team, or whoever will conduct the assessment, to start by learning the basic terminology, including threat, vulnerability, impact and likelihood, and their relationships. Understanding what is a threat, versus a vulnerability, for example, helps make risk assessment more meaningful and practical."
Healthcare organizations also must recognize that risk criticality ratings "are only relative and subjective," Borten says. "So don't go crazy trying to get the ratings perfect. The more important goals are to identify risks and mitigate them."
Risk mitigation can include using any combination of tools, including administrative, physical and technical controls, the consultant points out. "And some risks are unavoidable - such as with weak vendor software that is being replaced in six months; in those cases, implement compensating controls."
And it's not just smaller organizations that struggle with risk assessments.
"Each application and system that stores PHI must be assessed. That's difficult to accomplish in larger organizations where they may have upwards of 200 applications and hundreds of systems that store or process PHI," Walsh notes.
"Also, these are moving targets. New applications and systems are being added as older systems are retired. Many organizations are understaffed in the area of information security."
So why do so many organizations stumble with conducting a timely, comprehensive, enterprisewide security risk analysis?
"Frequently, the task is so overwhelming that organizations shortcut or skip phases - a complete inventory of all your hardware, software and data. And we're not even looking at people, access, workflows at this point," says former healthcare CIO David Finn, executive vice president of the security consultancy CynergisTek.
"Things change constantly in healthcare - people, workflows, technology. So being timely will always be an issue," he says. "But you have to have a reasonable view of your risk posture and remember that we tend to think of this as an IT or security issue but this is really about enterprise risk."
Although technical security is important, organizations must take a broader look at risks, Finn stresses. "What could happen to the business if this system is lost? How bad could it be? Care interrupted? Can't bill? If it costs $300,000 to mitigate that risk, is that worth it?"
But once an organization paints a complete picture of its risk, the former CIO says, "keeping things current and up to date should be easier."
Every risk assessment is "a point-in-time exercise," notes former healthcare CISO Mark Johnson, a shareholder at consulting firm LBMC Information Security. "From one perspective, when it's completed, it is 'out of date.' But the reality is that a risk assessment should drive your program and prioritize your efforts to manage your risk profile," he says.
"The very best cyber programs I've worked with in my clients understand that and drive their programs to manage their risks. But they still have risks. There is a fallacy that I think needs to be addressed that seems to be fostered by regulators sometimes automatically assuming a risk assessment is incomplete or inadequate if something goes wrong. Risk assessments are snapshots in time that are designed to help manage things that are uncertain in the future," Johnson adds.
Meanwhile, Walsh notes that no specific timeline requirement is laid out in the HIPAA Security Rule for how frequently organizations should conduct a risk analysis.
"However, most healthcare organizations are doing an annual risk analysis that address their electronic health records ... and the supporting systems to coincide with their attestations" for HITECH Act financial incentives, which were previously called "meaningful use" but are now called "promoting interoperability," Walsh points out.
"Guidelines have been that a risk analysis needs to be updated whenever there is a significant change or at least once every three years," the consultant says. "Given the ever-changing IT environment, it's hard to imagine going three years with no significant change."
Risk assessments shouldn't be seen as just one big annual event, Borten adds.
"While your organization may plan an annual assessment, small risk assessments occur frequently and may go unnoticed," she says. For example, when an IT department makes a decision to implement one approach over another, security should be a major factor, and the risk and outcome should be documented, she says.
"It's also easier to carry out many risk assessments with limited scope on a rolling schedule, rather than trying to do one comprehensive effort," she says.