Cybersecurity risk management for healthcare organizations continues to be a perplexing issue. While it is explicit in the security management standard of the HIPAA Security Rule that a Covered Entity and their Business Associates must conduct an “accurate and thorough” risk analysis teamed with a plan to “implement security measures to reduce risks,” it is not immediately clear how this is to be accomplished.
The 2017 Office for Civil Rights (OCR) Audits for Covered Entities and Business Associates indicates that, in many cases, risk analyses and risk management are not being done or are not being done correctly. It was evident in the analysis of the audit results that there was a clear deficiency across many of the audited entities regarding risk analysis and risk management. Either they were not being done or they were deemed insufficient in their approach. The situation hasn’t improved much since 2017 and risk analysis and risk management are a top enforcement priority for the OCR and continue to be problematic for organizations.
The OCR is explicit in its guidance on conducting what the HIPAA Security Rule calls “Risk Analysis” and “Risk Management.” These terms are synonymous with “Risk Assessment” and “Risk Response” as defined by the National Institute of Standards and Technology (NIST) in their Special Publications 800-30 “Guide to Conducting Risk Assessments” and 800-39 “Managing Information Security Risk.” The OCR recommends in their “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule” to use these NIST guidelines for conducting a conforming risk analysis.
It is important to distinguish between a cybersecurity framework and a risk management framework when discussing risk assessments, risk management, or risk mitigation. Many healthcare organizations are substituting compliance with a cybersecurity controls framework for their risk management processes. Risk management is considered a domain within any existing cybersecurity framework including HITRUST, NIST, and ISO. Therefore, assessing your risk management compliance against a cybersecurity program framework is much different than performing a risk analysis or conducting risk response/risk management.
Can HIPAA risk analysis and risk management requirements harmonize with and support the HITRUST CSF, a certifiable risk- and compliance-based security and privacy framework? Absolutely! First, let’s review the regulatory requirements.
According to the OCR, a HIPAA conforming risk analysis must include nine elements1:
- Scope of the Analysis – Emphasis on the electronic Protected Health Information (“ePHI”) environment.
- Data Collection – Identification of where ePHI is being stored, received, maintained, or transmitted.
- Identify and Document Threats and Vulnerabilities – Identify reasonably anticipated threats to and vulnerabilities within a covered organization which could compromise the confidentiality, integrity, and/or availability of ePHI.
- Assess Current Security Measures – Evaluate and analyze security controls implemented to reduce risk exposure and safeguard ePHI.
- Determine the Likelihood of Threat Occurrence – Assess the likelihood of a threat exploiting a vulnerability given the implementation of existing security controls.
- Determine the Potential Impact of Threat Occurrence – Consider the “criticality” or impact of the system and/or data if it were to be exploited by a threat.
- Determine Level of Risk – A calculated value of the likelihood element multiplied by the impact element yields a risk level. NIST recommends using a 5 x 5 matrix of Very High, High, Moderate, Low and Very Low2. If a vulnerability is determined to be exploitable by a threat due to ineffective security measures/controls, the likelihood could be assessed as “Very High” or 5. If the information asset subject to exploitation has many thousands of ePHI records or is critical to operations, it could be assessed as a “Very High” or 5. When multiplied, a risk level or risk rating of 25 is determined.
- Finalize Documentation – As the OCR often says, “show your work.” Document the risks and identify strengths, weaknesses, deficiencies, etc., in the security controls associated with the threats and vulnerabilities. This documentation is a direct input to the risk management process.
- Periodic Reviews and Updates to the Risk Assessment – The risk analysis should be an ongoing process. To quote: “A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation”.
Having reviewed the regulatory requirements, let’s consider the HITRUST CSF Certification requirements. A major domain for certification is Domain 17 - Risk Management, which includes risk assessment, risk management, and risk mitigation requirements. HITRUST requires that a strong and comprehensive risk management program be in effect within an organization. Ideally, one would want a single, comprehensive risk assessment that conforms to HITRUST certification requirements, OCR guidance, Security Rule regulations, and industry-accepted best practices.
A comprehensive HIPAA risk analysis, one that addresses the 19 major domains of the HITRUST CSF and follows applicable OCR and NIST processes and methodologies, will ensure a single risk analysis can be used to meet the regulatory expectations of OCR and support the certification requirements of the HITRUST CSF. To adopt a turn of phrase, “Assess Once, Report Many”.
And finally, organizations should determine their risk threshold, also known as a risk appetite or tolerance, through a risk management governance process to determine an appropriate response to the findings of the risk analysis.