There are many HIPAA consultants, law firms, software companies, cloud service providers, and others who will happily provide you with a quote for a HIPAA security risk analysis. Neither the HIPAA Security Rule nor the respective references in Meaningful Use prescribe the exact form or format of a HIPAA Security Risk Analysis. So it is not surprising that so many enterprising professionals will offer their “version”? of how a third-party firm can address this scope of work.
What is surprising is how little security knowledge most of these otherwise well-meaning folks have. My favorites are the HIPAA compliance consultants who claim to have “been doing this for 25+ years.”? Err… the HIPAA Security Rule has only been in effect since April of 2005. Even if you wrote the HIPAA Security Rule yourself (you didn’t; John Parmigiani did), you might be able to claim 15 years experience. And most of that would have been before there was even any ePHI to protect. You know the old joke about experience – do you have 15 years experience or 1 year of experience that you repeated 15 times?
I’m not knocking age or experience (I’m no spring chicken, myself) but with IT security in particular, you better be up-to-date. Think of the changes in IT just in the last few years with the proliferation of mobile devices, cloud-based storage, and web/mobile applications. Consider how the lines have blurred between corporate and individual technology use. New technology almost always enables exciting advancements in productivity, increased efficiencies, and improved quality of life (both at work and in your personal life). Yet the unavoidable consequence in the case of electronic health records is dramatically increased security risks.
There are great policy and compliance consultants. We know because we employ many of them at Redspin. But unlike other firms, we have our compliance experts work in tandem with our security engineering team. Policies and procedures alone do not make your IT environment secure. Nor do scopes of work that promise to compare your security to the OCR audit protocols. Compliance is not security. If I am going to hire a third-party company to conduct a HIPAA Security Risk Analysis, I’d want that firm to identify the biggest security risks to my ability to safeguard PHI. And, I’d want actionable recommendations on how to mitigate those risks. You can’t do that unless you know what and where your technical vulnerabilities are.
That involves highly trained security engineers conducting sophisticated vulnerability testing on your networks, servers, applications, workstations, and mobile devices. It involves evaluating what controls you have in place (including an evaluation of the settings on your certified EHR technology) and how well they are working. Not just whether they are in place, but how well they are working. It involves testing your employees’ security awareness – not whether they have completed another cartoonish HIPAA security web training course – but whether they actually understand and put into practice what constitutes acceptable IT security behavior.
And it involves commitment. IT security is a process not a project. It is about risk reduction not compliance spreadsheets. It involves a continuous cycle of testing, risk analysis, remediation, and retesting. It involves metrics so you can measure and demonstrate improvement. It includes a comprehensive security awareness program, one that not only enforces policies with real consequences but also rewards employees when they have paid exemplary attention to security issues.
At the end of the day, healthcare security is about patient care – improving health, speeding recovery, easing pain and showing compassion. Patient care should also extend to safeguarding their most personal information.