Cyber Risk Advisory

Avoid oversights in HIPAA risk management

Rich Curtiss sm jpg

Rich Curtiss

Director, Healthcare Cyber Risk Services, Coalfire

Blog Images 2022 hipaa tile

Since HIPAA regulations first came about in 1996, organizations have looked for ways to analyze and manage risk within this complex framework. Although guided by the HIPAA Security Rule as well as additional guidance from the U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR), healthcare entities and business associates still struggle with the cybersecurity risk analysis component.

Recent industry report summary

The recently released 2016/17 OCR HIPAA Audits Industry Report details common oversights that entities and associates make in compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The findings included:

  • The struggle is real. Consistent with the findings of the Phase 1 audits, covered entities still struggle to implement the Security Rule’s requirements of risk analysis and risk management.
  • No risk requirement implementation. Most covered entities and business associates did not implement the HIPAA Security Rule requirements for risk analysis and risk management.
  • Entities struggled to:
    • Identify and assess the risks to all the electronic Protected Health Information (ePHI) in their possession.
    • Develop and implement policies and procedures for conducting a risk analysis.
    • Identify threats and vulnerabilities, to consider their potential likelihoods and impacts, and to rate the risk to ePHI.
    • Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
    • Conduct risk analyses consistent with policies and procedures.
  • Documentation of effort. Another common challenge was documenting efforts to develop, maintain, and update policies and procedures, and then use them to conduct risk analyses.
  • Providing irrelevant documentation. Some entities provided irrelevant documentation, for example, a document that describes a patient’s insurance prescription coverage and rights; a document that discusses pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page. Additionally, providers commonly submitted documentation of security activities of a third-party security vendor but did not provide documentation of any risk analysis that served as the basis of the activities, which is a requirement under the HIPAA Security Rule.
  • Assuming third-party work equals compliance. Many entities utilize and rely on outside agencies to manage or perform risk analyses for their organizations; however, these third-party companies were also challenged to meet the requirements. The report found an assumption that a purchased security product satisfied all Security Rule requirements. However, the ultimate responsibility to maintain an appropriate risk analysis is the entity, so it is essential that entities understand and comply with risk analysis requirements in order to appropriately safeguard PHI.

OCR succinctly concludes: “Both covered entities and business associates failed to implement effective risk analysis and risk management activities to safeguard ePHI.”

Why this broad-scale failure? One reason might lay with who manages HIPAA cybersecurity in an organization. Many organizations elect to include HIPAA’s cybersecurity requirements under the chief compliance officer or senior legal counsel instead of the Chief Information Officer (CIO) or Chief Information Security Officer (CISO). When these requirements fall under the compliance umbrella, organizations miss the opportunity to improve the enterprise’s overall security posture. This can result in an unintentionally higher risk profile for the organization.

A risky scenario

Let’s build a hypothetical but very real scenario to better understand how the challenges noted in the report can play out.

  • A healthcare organization conducts a risk analysis that simply assesses each of the HIPAA Security Rule Standards and Implementation Specifications and assigns a High, Medium, or Low finding with a few observations of security control deficiencies or gaps related to the specific specification.
  • A provider has their unencrypted laptop stolen from their vehicle, resulting in a reportable OCR breach.
  • OCR responds, asking for a copy of the latest HIPAA risk analysis and risk management plan.
  • The healthcare organization submits the HIPAA risk analysis.
  • OCR reviews the risk analysis and determines it is insufficient because it is a HIPAA gap analysis and not a risk analysis.
  • OCR continues their investigation which results in a settlement action, resolution agreement, and corrective action plan.
  • Part of the corrective action plan is to conduct a risk analysis, identify risk treatment, and submit to OCR for review within a certain timeframe.
  • OCR will continue to monitor the organization for two to three years, frequently asking for updates.

In this scenario, the lack of a sufficient risk analysis and absence of any risk management contribute significantly to final resolution agreement. If the organization is determined to be in “systemic non-compliance” with the risk analysis and risk management specifications, the outcomes become more severe and expensive.

OCR considers cybersecurity risk management to be “foundational” to the confidentiality, integrity, and availability of ePHI data and assets. Most cybersecurity frameworks including NIST, HITRUST, ISO, and others include risk management as a domain or critical component of a properly implemented cybersecurity program. Organizations who place the responsibility for HIPAA cybersecurity compliance under the CIO or CISO’s purview are more apt to avoid these kinds of risk-prone incidents because of their broad attention to overall system security.

One of the best ways to meet the challenge of regulatory environments like HIPAA is to take a strategic approach to managing risk. In particular, perform annualized enterprise risk analyses and technical controls testing, ensuring that you’re capturing risks and control weaknesses. By implementing this best practice, compliance with regulatory requirements becomes a foundational element of your organization and improves your overall cyber risk posture.