The security risk management program may not be the responsibility of the compliance officer; however, failure to ensure this required HIPAA control is in place could have negative impacts on your organization. Unidentified and unaddressed risks can easily lead to a loss of protected health information (PHI) or a bad actor taking over your entire system in a ransomware attack. A recent report by Sophos indicated that 66% of healthcare organizations had been hit with a ransomware attack.[1] Addressing security risks should be a top priority considering the U.S. Department of Health & Human Services (HHS) indicated in 2021 the average bill for rectifying a ransomware attack, including downtime, ransom, legal fees, etc., was $1.2 million.[2]
Including an evaluation of your security risk management process in your compliance plan will provide assurance to your leadership that while you may not be able to prevent all security incidents, your organization is at least making a consistent effort to reduce the risk.
Over the past 18 months there has been a lot of discussion about the need for healthcare organizations to perform cybersecurity risk assessments. There are probably several motivating factors behind these discussions and one of the primary drivers has been the passing of the HIPAA Safer Harbor Bill, HR 7898, which amended the HIPAA HITECH Act to require HHS to incentivize best practices in security.[3]
While HR 7898 was passed to provide incentives for good cybersecurity practices, the truth is that performance of an enterprise-wide risk assessment has long been a requirement for HIPAA compliance. A risk assessment has been required since the effective date of the HIPAA Security Rule in April 2005.
The standard within 45 C.F.R. § 164.308(a)(1)(ii)(A) [4] requires covered entities and business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” In 2018, the HHS Office for Civil Rights (OCR) provided guidance on their expectations for the implementation of this requirement, including:
-
Does the entity have policies and procedures in place outlining compliance with this control?
-
Has the entity conducted an “accurate and thorough assessment” of the potential risk and vulnerabilities?
-
Does the risk analysis include:
-
A defined scope,
-
Details on identified threats and vulnerabilities,
-
An assessment of current security measures,
-
An impact and likelihood analysis, and
-
A risk rating?[5]
-
So where are we now?
In 2020, 15 years after the effective date of the HIPAA Security Rule, the 2020 HIMSS Cybersecurity Survey found that only 50% of the respondents were conducting comprehensive risk assessments. Organizations were often excluding key areas from their annual risk assessment (Table 1).[6]
Risk assessment component |
Percent of respondents, including component |
---|---|
|
58% |
Legacy systems |
45% |
Mobile devices |
39% |
Cloud provider/service provider |
37% |
This trend is particularly alarming when compared to the 2021 HIMSS Healthcare Cybersecurity Survey, where 45% of respondents indicated that they had been the victim of phishing attack resulting in a significant security incident. A review of the initial point of compromise also points out the high risks for areas often excluded from an organization’s annual risk assessment (Table 2).[7]
Initial point of compromise |
Percent of significant security incidents |
---|---|
Phishing |
71% |
Legacy software |
15% |
Laptop, tablet, or device |
10% |
Legacy operating system |
9% |
Cloud provider/service |
9% |
The HIMSS survey is supported by a review of OCR enforcement actions for 2020 and 2021. In 80% of OCR press releases, there was failure to perform risk analysis. And, as previously noted, with the average $1.2 million price tag for rectifying a ransomware attack, addressing security risks is a top priority.[8]
Including an evaluation of your security risk management process in your compliance plan will provide assurance to your leadership that while you may not be able to prevent all security incidents, your organization is at least making a consistent effort to reduce the risk.
Is your program effective?
As the compliance officer, you may be doing an annual security risk assessment, or you may be depending upon your IT team to do that for you. Either way, it’s good practice to take a step back from your program and evaluate it for effectiveness. Analyzing your program will help reduce the risk to your organization and, should the worst happen, help you take full advantage of the regulatory relief outlined in HR 7898.
Is there a formal annual risk assessment process in place?
This is your basic step one. Determine if there is formal assessment. You may find that someone has a listing of “concerns,” but they haven’t really done anything formal that’s documented and reviewed on a consistent basis. If the response to this question is no, then your first remediation step is to determine who should own this process and establish a program to perform your risk assessment.
Once you have determined that there is a program, it’s time to dig a little deeper. Is your risk assessment program based on a recognized framework? HR 7898 specifically called out that organizations should have “recognized security practices” and went on to define these as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”[9]
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is based on five core functions: identify, protect, detect, respond, and recover. The framework is designed to help organizations assess their current security program and develop and implement effective controls.[10] NIST is an excellent framework for healthcare organizations, but your organization may find the framework difficult to use as it consists of several hundred controls that need to be evaluated to determine applicability to your operations.
The other approach mentioned in HR 7898 is the result of the 405(d) task group established by HHS to develop a cost-effective cybersecurity risk management program for healthcare organizations.[11] The resulting Health Industry Cybersecurity Practices (HICP) documents identified the five most significant threats and practices to reduce the risk of those threats. The HICP documents provide guidance for both large and small organizations in identification and management of risks to the organization:
-
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP),
-
Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations, and
-
Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations.[12]
Organizations may choose other frameworks such as HITRUST to perform their annual assessment, but the framework should be a recognized framework to help ensure compliance with the HR 7898 requirements.
Is your assessment objective?
As the compliance officer, you should look at who is doing the assessment and determine if they were objective and thorough. While every organization probably has a nonretaliation agreement, you will want to evaluate the ability of the personnel performing the assessment to be objective. For example, if your assessment is performed by the special assistant to the chief information security officer who has been reporting to your board quarterly that “we have no risks,” would that special assistant feel free to point out that you actually have significant risks to your environment? Ideally the personnel performing the risk assessment would have the independence to work freely and objectively without having to adjust their findings as a result of management pressure—just like your compliance or internal audit departments.
To ensure independent and objectivity, your organization may want to consider the employment of independent assessors. These can be internal, such as from your compliance or internal audit departments, or you may want to consider the use of outside service providers to ensure objectivity.
Is your assessment comprehensive?
As was noted in the 2020 HIMSS Cybersecurity Survey, 50% of the organizations performing risk assessments were not including all risks or operational areas. The risk assessment documentation should include details on what areas were reviewed and what risks were evaluated. That documentation should be compared to your organizational information to help identify gaps in the current process. No matter what framework you use, the five threat areas identified in the HICP documents should have been addressed. Verify your assessment included all the following threats:
-
Email phishing
-
Ransomware
-
Medical device vulnerability
-
Data loss
-
Equipment loss
Comprehensive also means that the results were based on documented evidence. A risk assessment where the assessor documented controls as “in place” because of past experience, assumptions on the skill sets of personnel, or just because “of course we do that” will probably result in faulty data. We recently performed a risk assessment noting major concerns in all the threat areas above. When management compared that to the prior assessment, the difference was shocking. Further investigation determined that the prior assessor was an employee who actually completed the assessment in a couple of hours working alone and just “assumed” that since this was a well-managed, mature healthcare provider, all controls would be in place.
A comprehensive risk assessment should also include a physical review of your environment. Doing a walk-through of your operations may uncover risks related to data loss and equipment loss you were totally unaware of. I once walked into a hospital department to find a laptop that was not on the hospital network that staff were entering PHI into to help one of their vendors with a new product. No one at the organization had any idea what PHI was being shared, there were no agreements in place to cover this relationship, and no information was provided on how the vendor was using and/or securing the PHI they were obtaining.
Should you have a breach or security incident that results in a review of your organization by a regulatory body and they discover that you excluded significant areas or threats, it would be hard to make the case that you were conducting accurate and thorough risk assessments as the regulations require.
Do you have a risk management plan?
So now you have done the analysis and identified the gaps. At this point the identified gaps or weaknesses should also be classified based on the risk and impact to the organization. This then allows for a prioritization of effort. While it might be really easy and inexpensive to focus on those “low risk, low impact” findings, it’s also not really doing the right thing to protect the organization and your PHI. Emphasis should be placed on remediation of identified risks that are considered most likely to occur with a negative impact on the organization.
Additionally, since risk assessments are required to be performed annually, you don’t want to present to your governing body or a regulatory agency evidence that “we have had the same high risk for the past five years.” It is possible that HHS might not consider that as evidence of an effective cybersecurity program, and it is certain that should a security incident result in any type of lawsuit, the opposing attorney would want to use that evidence against you.
Your risk management plan should include details on who owns the remediation process, what the process is, and the timeline for updating the process. The plan should be updated and reviewed by the appropriate management at least quarterly to ensure the organization meets the goals of protecting its PHI.
Summary
While it’s easy as a compliance officer to say, “Cybersecurity is IT’s problem,” the truth is that it’s everyone’s problem. We all know that if there is a breach, the compliance officer and their team are going to be front and center dealing with the outcome, including upset patients and regulatory agencies. In today’s environment, the compliance officer needs to help their organization address all the regulatory risks. Making sure your organization has a handle on your cybersecurity risks should be a part of any compliance program in 2022.
Takeaways
-
Security risk assessments are required by the HIPAA Security Rule and encouraged by the HIPAA Safe Harbor Bill.
-
Effective risk assessments are based on recognized industry standard frameworks, such as from the National Institute of Standards and Technology or Health Industry Cybersecurity Practices.
-
Security risk assessments should be done by someone with enough independence and objectivity to review without fear of retaliation.
-
All areas of the organization should be included in a security risk assessment; the performance should not be limited to the physical space occupied by IT.
-
Risk remediation plans will demonstrate the organization’s commitment to cybersecurity.