We are often asked: “How do we prepare for a HIPAA Security Risk Analysis?”
The short answer is: “It’s easy!”
It’s actually better to be under-prepared than to delay the process in the hopes of having your IT environment stabilized and your documentation completed – both are dynamic, always in flux and will never be “done”. Its better to get the risk analysis completed as it will prioritize important issues and drive limited organizational and IT resources to focus on the most critical areas – which is about the most any busy health IT team can hope for. Waiting to be “done” often dilutes IT focus on non-critical issues and delays compliance and/or the achievement of meaningful use objectives indefinitely. Furthermore, in our experience, there is nothing better at tying up loose ends in the IT environment like a date on the calendar for a HIPAA Security Risk Analysis.
That is not to say that some preparation will not smooth out the process. I thought I’d cover one aspect of preparation – which is inventorying electronic protected health information (ePHI). While preparing for a HIPAA Security Risk Analysis is simple, this one step can seem daunting. Before we discuss the process lets highlight the overall HIPAA Security Risk Analysis preparation steps -it’s really very easy. At a high level all that is needed is to: gather some documentation such as security policy to have ready for the assessment team, have an assigned information security officer for your organization and ensure that a liaison from the IT department is ready to work with the assessment team. The onsite portion of an assessment typically only lasts from a couple of days to a week for most healthcare organizations, so the onsite impact is short. While none of these steps are required for a HIPAA Security Risk Analysis to be performed, the more information that is ready and available for the assessment team the less the team will need to interrupt their liaison during the course of the engagement.
Inventorying ePHI can be daunting; in fact it can feel impossible if the process is lead by a non-technical person (for example, in compliance) without an intimate knowledge of the network. One effective way to provide the HIPAA Security Risk Analysis team with information on ePHI is to instead focus on the systems that create, store, manage and view that data – the applications. Doing an application inventory not only leads to the identification of important ePHI silos, but the effort can be sourced to business unit leaders by means of a questionnaire. In this way, the person responsible for the inventory can focus on creating a questionnaire, identifying the application owners and aggregating the responses at the end. The application details can be provided by the owner of the system. Here are some of the questions that can be included in a questionnaire:
- Vendor name
- Application name
- System owner
- Technical owner
- Does the system store ePHI?
- How many records are in the system?
- Do users have system administrator rights? (provide list)
- Are usernames unique or are they shared?
- Who is responsible to audit user lists for outdated accounts and inappropriate access rights?
- What is current password policy? (length, complexity, expiration, lockout settings)
- Who is responsible for review of audit logs?
- What safeguards are in place to ensure integrity of data within the system and when transferred in/out of system?
- Is the application hosted offsite by an ASP?
- Is the application accessible via mobile device?
- Is any ePHI stored locally on workstation or mobile device?
- Is local storage encrypted?
- Does organization transmit any data outside the organization, or can offsite users or outside organizations access data?
For each application identified in your health IT environment, send a questionnaire form to the system owner. Responses to the questionnaire can be tabulated in a matrix form on a spreadsheet upon completion. This matrix provides a excellent source of ePHI and system information for the risk analysis team and provides an easy way to prioritize applications in terms of security risk. Also, because only a few key attributes are used to characterize these systems, its a manageable task for most system owners. This is similar to the approach we discussed for a systematic approach to managing business associate risk – its systematic and breaks down the process into manageable steps. While each healthcare organization’s questionnaire might look different depending on the specifics of the environment, the questions above provide an idea as to the nature of the questions that might be required. More information about how the assessment process maps to HIPAA, HIPAA Security Rule, HITECH Act and meaningful use can be found here: HIPAA Security Risk Analysis.