HIPAA Security Risk Analysis Best Practice Part 2

by | Oct 7, 2019

The scope of your SRA should include all IT assets that are involved in the creating, receiving, maintaining, or transmitting of e-PHI in your organization.

HIPAA has been a big part of my working life since the Privacy Rule was finalized in August of 2002 and subsequently went into effect in April of 2003. During the following 16+ years I have served as both HIPAA Privacy and Security Officers. I’ve also spent more than a decade consulting with healthcare organizations on how to navigate these regulations.

As a consultant, one of the areas I’ve spent the most time on is helping organizations conduct a security risk analysis (SRA) per Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. This part of the regulation states:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

At the beginning of a security risk analysis, one of the first questions my consulting team and I always ask of clinical, business, and IT leadership is where they store electronic protected health information (e-PHI) within their organization. The answer in many cases is that they don’t maintain an inventory of systems with e-PHI. In a typical engagement we’re given a list of the most prominent EHR / HIS applications and other obvious systems where e-PHI is believed to be located. Our goal during the assessment is identifying where e-PHI really resides so that we can ensure the analysis has the proper scope. Without fail, our final list of systems that maintain e-PHI is significantly more extensive than the initial list provided by leadership.

Why is this? Quite simply, most organizations do not know all the locations of their e-PHI, or they don’t consider locations outside of the most obvious places. This has many operational ramifications and is also a significant barrier to assessing risk. Two questions we must ask:

  • If an organization doesn’t know where e-PHI lives, how can they properly assess the confidentiality, integrity, and accessibility risk of all e-PHI?
  • And, if they can’t appropriately assess the risk, how are they going to know what safeguards need to be put in place to protect it?

A failure to maintain an accurate inventory of systems with e-PHI is also a significant barrier to meeting the Office of Civil Rights (OCR) requirements for completing an SRA. In my previous “Best Practice” article, I discussed the nine elements that are included in the OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule. One of these nine elements—Data Collection—states:

An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented.

In addition to being a requirement, this is also a point of emphasis for OCR when conducting audits. If your HIPAA SRA documentation is missing key locations where e-PHI is maintained, then an auditor is likely going to conclude that the scope of your assessment was insufficient to appropriately determine risk. This will be obvious if there are classes of assets missing from your documentation such as medical devices, removable storage media, cloud storage, etc.

I cannot emphasize enough how critical it is that organizations maintain an accurate inventory of systems that store, receive, maintain, or transmit e-PHI. In order to maintain an accurate inventory, organizations must understand the flow of e-PHI through all of its clinical and business processes. It is also helpful to have an asset management system that can help with maintaining and managing this inventory and the tools to facilitate automated scanning of the network for e-PHI.

The WaveFire risk management platform has asset management built in. The platform can integrate with an organization’s existing enterprise asset management system or scanning software to ensure that all assets containing e-PHI are included in the SRA. And, as always, WaveFire is the easiest and fastest way to complete an OCR-ready SRA.

If you are interested in learning more about our platform or are concerned about your organization’s current state of HIPAA compliance, we can help. We invite you to contact us at info@wavefire.com or 877-583-2477.