Latest round of OCR audits highlight HIPAA risk analysis and risk management shortcomings

John Piotrowski, Senior Consultant, Healthcare Cyber Risk Services, Coalfire

Phase 2 OCR audit summary

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has released its latest report with findings from their 2016 and 2017 series of audits as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)/HITECH Privacy, Security, and Breach Notification Rules (HIPAA Rules).

In all, 166 covered entities (CEs) and 41 business associates (BAs) underwent audits against the HIPAA Rules. While compliance with breach notification and posting Notice of Privacy Practices (NPP) were found to rate well, most covered entities came up short in the remaining five areas that were audited. The majority of covered entities did not meet requirements for:

  • Properly safeguarding protected health information (PHI)
  • Ensuring the right of individual access
  • Providing appropriate content in their NPP

And finally, the majority of CEs and BAs failed to adhere to requirements for risk analysis and risk management, despite provisions from the prior set of audits conducted in 2012. Ultimately, over 80% of audit ratings did not meet appropriate compliance activities for risk analysis and risk management.

Risk analysis and risk management audit background

Now, one may ask, “why are risk analysis and risk management requirements not being met for something that’s been around for a quarter century?” The answer is: there has consistently been a failure to perform a risk analysis as defined in the OCR methodology. OCR has defined a nine-step process and recommends the use of NIST (National Institute of Standards and Technology) information security products to meet the HIPAA Security Rule Implementation Specifications for Risk Analysis and Risk Management. If this first step isn’t taken, then there is a high likelihood that an entity will fall in the 80% of those who don’t meet sufficient HIPAA risk analysis and risk management practices.

The following question will likely be, “Okay, so how do we follow protocol for conducting a risk analysis with merit and maintain an effective, ongoing risk management program moving forward?” First, don’t do what most audited entities have done, which includes:

  • Performing a “check-the-box” analysis that does not adhere to the nine essential elements of an OCR risk analysis.
    • Many entities believe this option to be cost-effective. A more accurate term would be “insufficient.”
  • Assign risk responsibilities to in-house staff where identifying high security risks conflicts with their self-interests. Work can quickly become skewed and cover up legitimate risks.

The above tactics have a history of resulting in financial, operational, and reputational harm. Failure to invest in effective resources in the short term can render costs much higher in the long run.

Additionally, the healthcare industry has an extensive amount of legacy systems and processes that increase attack surfaces from both inside and outside actors. A comprehensive risk management program can make significant inroads into reducing or even eliminating risk that otherwise wouldn’t be discovered without conducting an OCR-ready risk analysis and remediation.

Coalfire risk analysis and risk management methodology


Risk Analysis

A Coalfire risk analysis focuses on providing clients with a defensible, OCR-ready, risk analysis and risk management plan that aligns and conforms with the HIPAA Security Rule Standards and Implementation Specifications including 45 C.F.R. § 164.308(a)(1)(ii)(A) and 45 C.F.R. § 164.308(a)(1)(ii)(B) and OCR “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule.”

Several strategies are practiced by Coalfire in order to differentiate itself from the risk analysis and risk management practices that have been deemed insufficient in four out of every five OCR audits.

Requirement

Other Practices (>80%)

Coalfire Practices

Thorough analysis of threats to PHI

“Check-the-box” assessment of HIPAA Rules requirements

In-depth environmental analysis of all PHI assets

Industry best practices for risk analysis methodology

Home-grown processes

Finely tuned methodology built on OCR and NIST requirements and standards

Consultant expertise

First- or second-year associate consultants handling other industry verticals

Senior consultants with 5+ years specializing in healthcare risk

OCR-ready reports

Unfamiliar with OCR’s nine essential elements of a HIPAA risk analysis

Reports accepted by OCR as reasonable and appropriate in addressing Risk Analysis and Risk Management requirements

Partnership in cybersecurity

“One and done” project

Multi-year deals with clients that recognize the value added to long-term Information Security Management Programs


Risk Management

Coalfire’s information security risk management methodology assesses the threat environment to determine potential vulnerabilities related to:

  • Administrative Safeguards
  • Technical Safeguards
  • Documentation Controls
  • Physical Safeguards
  • Privacy Safeguards

Coalfire’s approach implements key provisions of the NIST Risk Management Framework (RMF) document compendium (e.g., SP 800-30, 37, 39, 53, and 66) as recommended by OCR. Additional threats and vulnerabilities related to the ePHI (electronic protected health information) environments, which do not have specific HIPAA references but are important cybersecurity concerns, will be assessed to ensure a “comprehensive and thorough” set of deliverables.

The full audit report is available at HHS.

John Piotrowski

Author

John Piotrowski — Senior Consultant, Healthcare Cyber Risk Services, Coalfire

Recent Posts

Post Topics

Archives

Tags

Top