At the recent NIST-OCR Safeguarding Health Information (HIPAA Security) Conference Office for Civil Rights Director Roger Severino presented OCR’s top security concerns. He stated that they include ransomware, phishing attacks, remote desktop protocol vulnerabilities, weak authentication (single factor or poor password rules), and access control, including managing accounts (and dormant accounts) of current and former workforce members. “Attacks are now more sophisticated and more targeted,” Director Severino said. “The single most important thing you can do to protect yourself is to conduct a risk analysis.” In addition to underscoring the importance of a risk analysis, Director Severino stated that risk analysis continues to be “the area where we have had the most enforcement.”
Later at the same conference, Nick Heesters, an OCR Health Information Privacy and Security Analyst who investigates potential HIPAA violations, said that what OCR typically receives as a “risk analysis” is not at all…well…a risk analysis. This was not surprising, as Nick made the same point at Clearwater’s Breakfast and Breaches event in Washington, DC earlier this year: “Some of the risk analysis we get back just doesn’t really reflect what the rule requires. The rule requires that it be done in an accurate and thorough manner. To accurately and thoroughly assess the risks to an organization’s ePHI. Frankly, that’s not what we get.” Click here to listen to his statement.
OCR’s enforcement of the risk analysis requirement has been consistent. In fact, in 90% of the cases where a settlement or fine has levied due to a HIPAA violation involving a breach, OCR has found that the organization “failed to conduct an enterprisewide risk analysis.”
So why don’t more organizations conduct a risk analysis the way they are supposed to? For a large organization, conducting a risk analysis is not an easy thing to do. It must identify all of its systems with ePHI, understand their components, identify the vulnerabilities and threats that are applicable to those components based on their unique profiles, document all of the controls that are in place, and then assess the likelihood of an event occurring and the impact to the organization in order to assess risk.
With hundreds of systems leading to millions of possible risk scenarios, an enterprisewide risk analysis, performed in accordance with the regulations and OCR’s guidance, can be a daunting task for an organization to perform. An enterprise-class cyber risk management software tool, designed for complex healthcare organizations and in accordance with OCR’s guidance, can solve this issue.
A risk analysis also needs to be conducted on a continuous basis. As put by Director Severino, risk analysis is “not only one and done”, organizations must “continuously monitor their systems and their changes.” Once again, adoption of a software platform with robust capabilities can help organizations to follow this requirement.
Understanding these challenges, Clearwater developed IRM|Analysis®, an enterprise-class cyber risk management software (ECRMS) platform specifically designed for healthcare organizations – currently with over 400 customers, including more than 60 large integrated delivery networks. IRM|Analysis meets all nine requirements of a Security Risk Analysis based on OCR’s Guidance Publication.
Leveraging patent-pending technology, IRM|Analysis provides the capability to efficiently record and manage all ePHI information systems and their components. Using sophisticated algorithms, the software automatically identifies vulnerabilities, threats, and recommended technical, administrative, and physical controls that are applicable to those systems, and facilitates an accurate and thorough risk assessment. It provides workflow capabilities to not only assess risk, but also to treat high risks and manage and document risk mitigation action plans. And because it’s a web-based application – as opposed to a point-in-time spreadsheet – IRM|Analysis provides the ability to make updates to the risk analysis when material changes occur or new systems are added. This results in a continuous process for assessing, prioritizing, and reducing risk to appropriate levels.
We are proud of the fact that OCR has accepted our customers’ risk analyses conducted with IRM|Analysis 100% of the time when performed in accordance with, or in conjunction with, Clearwater’s recommendations and advice. While compliance is important, a risk analysis is not about checking the box. It’s about knowing where your exposures are and evaluating which risks your organization is willing to accept, and which it will not. If a risk analysis is not accurate and thorough, key exposures will be missed, and as a result, the organization will not have the opportunity to implement necessary safeguards to bring risk to an acceptable level. On the other hand, a thorough risk analysis will guide your organization to implement the controls that will reduce the most risk, thereby optimizing your security resources and budget, while concurrently meeting OCR’s expectations.
In working with over 400 healthcare organizations, we have found that prior to partnering with Clearwater most have not conducted an accurate and thorough risk analysis in a manner that would pass OCR scrutiny. We often find that security officers and privacy officers were aware of their deficiency but have a difficult time getting leadership to fund their risk analysis programs at the level they should. Perhaps OCR’s statements and enforcement focus as described in this article, will help to get them to listen. Or perhaps it will take a breach and an OCR investigation of their own to do so. We hope for the reader it will be the former, not the latter.