Under the HIPAA Security Rule, covered entities and business associates are required to perform risk analysis on all systems that create, receive, maintain, or transmit electronic protected health information. In 2010, the Office for Civil Rights (OCR) published guidance about what’s required for risk analysis in particular, including:
- Comprehensive scope of analysis
- Data collection: Identifying an inventory of information assets used to create, maintain, transmit, or receive electronical protected health information (ePHI)
- Identifying and documenting potential threats and vulnerabilities
- Assessing current security measures or security controls
- Determining likelihood of a threat occurrence
- Determining potential impact of a threat occurrence
- Determining level of risk
- Periodic review and updates
Healthcare organizations struggle with risk analysis for a variety of reasons. Some say it’s related to process complexity, while others cite challenges understanding expectations set forth, for example, reasonably anticipated threats and vulnerabilities, or other parts of the OCR guidance they don’t find clearly defined.
Here are some other common challenges that are contributing to lack of compliance for risk analysis across the healthcare industry:
- In the cybersecurity arena as a whole, there are a number of practices referred to as risk analysis, but often, these practices don’t meet OCR requirements.
- Many organizations say they just don’t have sufficient funding to properly execute risk analysis and risk management as OCR would like it handled. Without funding, some organizations won’t engage in risk analysis and risk management at all, while others limit the scope of their analyses, citing financial limitations.
- Some organizations, overwhelmed by the constantly changing threat landscape, put their limited budgets exclusively toward technologies and tools while overlooking the symbiotic importance of people and processes. While technology is certainly a beneficial tool, it’s also important to make investments into security, governance, and compliance to ensure you have the right people in the right positions to plan, conduct, and manage related processes.
- The market is saturated with risk analysis consultants. These consultants offer a wide range of services, but those offerings may not meet OCR expectations, leaving some organizations seeking help not getting what they actually need.
- Different organizations handle risk analysis and risk management differently from a responsibility perspective. In some places, both live in the IT department and are seen as IT-related functions. Some organizations approach it from more of a compliance perspective for HIPAA, while others see it as tasks for the privacy office or legal, or security teams. With these inconsistencies in ownership and management, there are additional challenges created when teams don’t work well together cross-departmentally and critical components can fall through the cracks, making documentation and management a nightmare.
Who Should Own Your Risk Management Program?
Answering the question of “who should own risk analysis and risk management?” isn’t easy to do. The answer may very well depend on your organization’s structure, but what’s most important to point out here is it’s critical the program belongs to someone and that person (or team of people) understands roles and responsibilities and can effectively communicate and work with a cross-section of your organization to ensure its success.
What you’re looking for in the team member who will “own” your risk program is someone who:
- Will provide oversight
- Understands organizational expectations
- Understands regulatory and compliance requirements
- Is up-to-date on current mandates and constantly attuned to changes, including keeping abreast of industry related news, alerts, enforcements actions, updates, etc.
While it is helpful to have a program owner with a technical background, you can also effectively implement and manage your risk program with an owner who works well cross-functionally with all of your core teams including security, IT, compliance, legal, privacy, and others as needed.
Another critical component is looking for a program owner who can help communicate requirements, as well as program success and gaps, with your executives and key stakeholders (who ultimately take the lead role in your managing your organization’s risk profile and make key decisions related to your organization’s risk appetite).
You may find it beneficial to have your program owner establish and work together with committees or other work groups to build a risk management partnership throughout your organization. This can help ensure you’re always meeting requirements and obligations, but also help build an organizational culture that adopts risk analysis as the way of doing business so that in time, when operational changes must be denied because they introduce an unacceptable risk, there’s an understanding of what that means and why it’s important.
The Risk of Narrow Compliance Focus
Another key reason some organizations struggle with effective risk analysis and risk management is because they often focus efforts too much on checking the box from a compliance perspective than actually conducting risk analysis.
As a result, instead of adopting risk analysis as a continuous process, they review it on a periodic basis-usually just before a compliance audit or only when an audit discovers an issue.
Instead of a compliance-focused approach, you decrease your risks by embedding risk analysis and risk management into your larger security program. Risk management and risk analysis aren’t just compliance or legal issues, they add real value to your organization from a security perspective.
Analysis Without Action
If your organization has already implemented a risk analysis program, it’s important to remember that it goes hand-in-hand with risk management. In some cases, you may find yourself worse off if you’ve done the analysis, but fail to act on it.
For example, if you conduct a risk analysis and don’t act to mitigate, accept, or avoid that risk, if you later fall prey to a breach after knowing a risk was there and doing nothing, you’re likely to face heftier penalties from OCR.
OCR penalties are tiered and those tiers relate to HIPAA violation severity.
- Tier 1: Entity wasn’t aware of violation, could not reasonably avoid it, and taken a reasonable amount of care to abide by HIPAA requirements. Minimum fine $100 up to $50,000 for each violation.
- Tier 2: Entity should have been aware of the violation, but it couldn’t be avoided with reasonable amount of care. Minimum fine of $1,000 up to $50,000 per violation.
- Tier 3: Entity demonstrated willful neglect or HIPAA requirements in cases where the entity attempted to correct the deficiency. Minimum fine of $10,000 up to $50,000 per violation.
- Tier 4: Entity demonstrated willful neglect of HIPAA requirements and did not attempt to correct the violation. Minimum fine of $50,000 per violation.
As you can see, keeping your head in the sand regarding security risks could result in significant penalties. Ensure your organization has a risk management plan in place and the proper steps are taken to follow through.
Risk Response Documentation
While OCR has outlined those risk analysis and risk management expectations, it also wants to see that your organization has related documentation and that you’re demonstrating accountability through the assignment of roles, functions, and a timeline to address risks as they’re uncovered.
Think of your process and plan documentations as a golden opportunity to tell your risk management story should you experience a breach or other security issue. This is how you can build assurances that your organization is doing what’s reasonable and meets expectations.
You may find it beneficial to build a risk register that your organization treats as a living document, one your review regularly to stay on top of your risks and how you’re managing them. Keep your risk register current and cumulative, and from there you can make better risk-based decisions regarding whether you’re on the right path with prioritization or identify places you need to redirect attention.
As we’re seeing an alarming increase in the number of cyberattacks and breaches in healthcare, there may have never been a more important time for your organization to focus on risk analysis and risk management than now. They’re important components to your overall cybersecurity program that can help ensure you remain compliant while also strengthening your security posture.
A few tips to remember:
- Risk analysis is not one and done.
- Establish a continuous process that ensures you’re always aware of risks and making plans to address them.
- People and processes are cornerstones to your success.
- Don’t wait for a crisis like a breach before you evaluate your risks.
- Get executive support.
- Build a risk-focused organizational culture.
- Don’t approach risk analysis from a compliance only perspective.
- Align your risk objectives with business goals.
- Document. Document.