Governance & Risk Management , HIPAA/HITECH , Risk Assessments

HHS Updates Security Risk Assessment Tool

Why Do So Many Entities Still Struggle with Security Risk Analysis?
HHS Updates Security Risk Assessment Tool

Many HIPAA enforcement actions taken by federal regulators have chastised organizations for their poor security risk assessments. In light of this ongoing challenge, The Department of Health and Human Services has released an updated version of its security risk assessment tool, which includes enhancements such as improved asset and vendor risk management features.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

”The risk assessment process remains the single most challenging component of HIPAA Security Rule compliance - and realistically for compliance with any security requirement,” notes privacy attorney Kirk Nahra of the law firm WilmerHale. “The new HHS guidance is certainly helpful in guiding companies in this area.”

Fighting Against Threats

The Security Risk Assessment Tool, Version 3.1 was jointly developed by HHS’ Office for Civil Rights – which enforces HIPAA, and the Office of the National Coordinator for Health Information Technology, which promotes the adoption of health IT and secure national health information exchange.

The tool is primarily designed to aid small and midsized healthcare organizations in their efforts to assess security risks to help reduce the chance of being affected by malware, ransomware, and other cyberattacks, HHS says in a statement.

Some experts note, however, that larger institutions can also benefit from using the HHS tool.

“Large organizations can benefit from reviewing the tool to either confirm that their approach includes what is in the tool or identify opportunities for improvement in what they’ve established,” says Keith Fricke, principal consultant at tw-Security.

Risk assessments continue to be an intimidating requirement for many organizations, notes Kate Borten, president of privacy and security consultancy The Marblehead Group.

”There's no black-and-white approach, so the inherent flexibility and broad scope can be hard to grasp and manage,” she says. “Most often, that can be combated with good understanding of the basics of risk assessment. Regrettably, too many healthcare IT and security leaders have not learned those basics.”

Enhanced Tools

The latest version of the tool includes functionality updates based on feedback received, HHS says. New features include:

  • Threat and vulnerability validation;
  • Improved asset and vendor management, including multi-select and delete functions;
  • Incorporation of the National Institute of Standards and Technology’s Cybersecurity Framework references;
  • The capability to export the assessment’s “detailed report” to Excel;
  • The addition of security risk assessment question-flagging and a “flagged report."

Fricke says the new threat and vulnerability management features are among the most critical for entities that are striving to improve their risk management efforts. “This is a core aspect of a security risk management program and an important part of a security risk analysis,” he says.

Ongoing Challenge

In most of the approximately 60 HIPAA settlements issued by OCR to date, risk assessment has been noted as a top weakness of covered entities and business associates that have come under scrutiny for breaches and privacy and security complaints.

For instance, in May, OCR signed a $100,000 settlement with Fort Wayne, Indiana-based Medical Informatics Engineering, a cloud-based electronic health records vendor, after an investigation of a breach. In that settlement, the agency said its investigation revealed “that MIE did not conduct a comprehensive risk analysis prior to the breach.”

"Risk analyses can sometimes focus on the technical controls in place and pay little or no attention to the risks created by a workforce not properly educated on security awareness topics."
—Keith Fricke, tw-Security

The HIPAA rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of an entity’s electronic protected health information, HHS notes.

A key challenge, Fricke says, is that “smaller covered entities and business associates may not have knowledgeable IT staff properly versed in how to conduct a security risk analysis. In other cases, there is a misunderstanding that a compliance checklist is the same as a risk analysis – they are not.”

Because so many organizations lack a documented inventory of all PHI systems, he says, “they can’t assess what they don’t know exists.”

Another key reason why security risk assessments are so difficult for many organizations, according to Nahra, is that “it essentially covers everything - it looks like just one of many elements of the security rule, but you could turn most HIPAA security processes into two steps - risk assessment and risk management.”

Organizations of all sizes need to pay careful attention to the risk analysis issue and manage it on an ongoing basis, Nahra says. “That means covering everything when you do a core risk assessment, and then ensuring that you stay abreast of changes, either in your business operations or in the overall security context.”

Weak Spots

So what common areas of security risk do many organizations overlook in their assessments?

”People are the weakest link in security,” Fricke says. “People fall victim to phishing attacks. Risk analyses can sometimes focus on the technical controls in place and pay little or no attention to the risks created by a workforce not properly educated on security awareness topics.”

Disaster recovery and business continuity preparedness can be another overlooked area, especially when considering how well prepared the organization is to deal with ransomware incidents, Fricke adds.

”Ransomware often causes downtime, shining a light on the maturity of disaster recovery and business continuity processes.”

Often, covered entities and business associates focus on looking for tools to secure devices and networks, Borten notes. “While that is crucial to any security program, it is only one part. Robust security programs must encompass the physical controls, and, especially, the numerous administrative processes described in the HIPAA Security Rule and NIST Cybersecurity Framework.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.