Security risk management for the compliance officer

The security risk management program may not be the responsibility of the compliance officer; however, failure to ensure this required HIPAA control is in place could have negative impacts on your organization. Unidentified and unaddressed risks can easily lead to a loss of protected health information (PHI) or a bad actor taking over your entire system in a ransomware attack. A recent report by Sophos indicated that 66% of healthcare organizations had been hit with a ransomware attack.[1] Addressing security risks should be a top priority considering the U.S. Department of Health & Human Services (HHS) indicated in 2021 the average bill for rectifying a ransomware attack, including downtime, ransom, legal fees, etc., was $1.2 million.[2]

Including an evaluation of your security risk management process in your compliance plan will provide assurance to your leadership that while you may not be able to prevent all security incidents, your organization is at least making a consistent effort to reduce the risk.

Over the past 18 months there has been a lot of discussion about the need for healthcare organizations to perform cybersecurity risk assessments. There are probably several motivating factors behind these discussions and one of the primary drivers has been the passing of the HIPAA Safer Harbor Bill, HR 7898, which amended the HIPAA HITECH Act to require HHS to incentivize best practices in security.[3]

While HR 7898 was passed to provide incentives for good cybersecurity practices, the truth is that performance of an enterprise-wide risk assessment has long been a requirement for HIPAA compliance. A risk assessment has been required since the effective date of the HIPAA Security Rule in April 2005.

The standard within 45 C.F.R. § 164.308(a)(1)(ii)(A) [4] requires covered entities and business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” In 2018, the HHS Office for Civil Rights (OCR) provided guidance on their expectations for the implementation of this requirement, including:

  • Does the entity have policies and procedures in place outlining compliance with this control?

  • Has the entity conducted an “accurate and thorough assessment” of the potential risk and vulnerabilities?

  • Does the risk analysis include:

    • A defined scope,

    • Details on identified threats and vulnerabilities,

    • An assessment of current security measures,

    • An impact and likelihood analysis, and

    • A risk rating?[5]

This document is only available to members. Please log in or become a member.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field