It is remarkable how many misconceptions about security risk analysis still exist among hospital executives, considering the acute importance of security in healthcare environments.  Many of these misconceptions have their root in misunderstandings of the two core security management processes, Risk Analysis and Risk Management, and a failure to understand exactly what the two processes involve, how they relate, and what is required for compliance with both HIPAA and Meaningful Use / MIPS.

To provide healthcare providers with a better understanding of these processes, I’ve
written a detailed post that explains what a Security Risk Analysis is and how it relates to compliance with both HIPAA and Meaningful Use / MIPS.  

What is a Security Risk Analysis?

The HIPAA regulations require covered entities to have a security management process (164.308(a)(1)) 

This process consists of policies and procedures to prevent, detect, contain, and correct security violations. The following are required:

• Risk analysis – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
• Risk management – Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Let’s break this down —

• Accurate and thorough assessment — an assessment that’s specific to your organization. You can’t just adapt something you see on the internet (I’ve seen this).  You certainly can’t implement a policy that says you do a risk analysis and then not do it (Yes, I’ve seen this too).
• Of potential risks and vulnerabilities. — I’ve seen quite a few security risk assessments that really are only listings of security measures, not assessments of potential risks.
• To confidentiality, integrity, and availability of ePHI — You have to protect electronic Patient Health Information to make sure that it stays private, is available when you need it, and remains accurate.  Too many risk assessments address the confidentiality requirement and skip the other two.

Guidance on Risk Analysis

As is typical of HIPAA Regulations, the one sentence definition of risk assessment doesn’t really provide much guidance on how to conduct a risk assessment. This is intentional. By leaving the rule itself broad, the regulators allow healthcare organizations considerable flexibility to implement the rule appropriately for their organization – you might easily imagine that a risk assessment for a single doctor practice would look very different from a risk assessment for a large health insurance company.

Fortunately, HHS has provided some guidance on how to proceed.  This very helpful nine-page document provides provider entities with specific guidance on:

• Identifying the Scope of the Analysis
• Performing Data Collection
• Identifying and Documenting Potential Threats and Vulnerabilities
• Assessing Current Security Measures
• Determining the Likelihood of Threat Occurrence
• Determining the Potential Impact of Threat Occurrence
• Determining the Level of Risk
• Documenting the Risk Analysis Process.

If you are interested in even more detail, the National Institute for Standards and Technology Guide for Conducting Risk Assessment 800-30 rev 1 provides an excellent description of the Risk Analysis process. Note that this resource was written with large Federal Agencies in mind, but it is the definitive source for the risk analysis process, and is often cited by the healthcare standards bodies as a reference.

Finally, the Office of the National Coordinator for Health IT (ONC) announced at HIMSS on February 25^th that they would be releasing an application within the next two weeks to assist providers with performing a risk analysis and the critical task of retaining documentation that shows the organization’s thought process through the risk analysis.

Security Risk Analysis and Meaningful Use / MIPS

One of the reasons the Security Risk Analysis is getting so much attention is that conducting one is also required for Meaningful Use / MIPS. Specifically, the Meaningful Use / MIPS rules call for organizations to “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Note that the Meaningful Use / MIPS regulation refers directly back to 164.308(a)(1), the specific section of HIPAA where the Risk Analysis is discussed.

Many people mistakenly believe that the requirement for a risk assessment is different under Meaningful Use / MIPS, possibly because the HIPAA regulations refer to ePHI, and the Meaningful Use / MIPS rules relate to specific usage of Certified EHR technology.  This is not the case. In the comments included in the Meaningful Use / MIPS final rule, the regulators state:

“We did not propose to change the HIPAA Security Rule requirements, or require any more under this measure than is required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

The only practical difference between the two rules is that the certification requirements for Meaningful Use / MIPS require the risk analysis to be conducted or reviewed “during the measurement period” which effectively requires that it be done annually.

Security Risk Analysis is a Foundation.

It is critical to realize that the risk analysis, by itself, doesn’t make an organization any more secure. You can conduct the most detailed risk analysis possible, but at the end of the meeting where the final product is approved and accepted by the organization, you are no more secure than when you started. The analysis, however, is absolutely essential to an effective security risk management program, which is also required under 45 CFR 164.308(a)(1) and the Meaningful Use / MIPS rules.  We will discuss the elements of a security risk management program in a later post.

Using External Help.

Many providers, using the guidance of the sources listed above, can perform a reasonable and appropriate risk analysis, but many others cannot.  An external consultant can provide templates, methodology, and critical guidance for the risk analysis, but the actual decisions about risk and risk tolerance can only be made by the appropriate governing body for your organization.  If you have questions, or would like to discuss how Phoenix’ expert consultants can guide you in this critical process, contact us.