Conducting a HIPAA Security Risk Analysis has long been a requirement for covered entities under HIPAA. But today, the increased regulations and stricter enforcement under HIPAA (mandated by the HITECH Act) make it a necessity. In addition, the ongoing financial incentives available through the CMS' Meaningful Use EHR Incentive Program, should further encourage hospitals to make annual HIPAA Security Risk Analysis projects an integral part of their information security and risk management programs.
2. Why Conduct a HIPAA Security Risk Analysis?
www.redspin.com
2
Increased Compliance Regulations and Stricter
Enforcement
Greater Risk of Breach of Protected Health
Information (PHI)
More Potential for Damages
7/30/20131-800-721-9177
3. Why Conduct a HIPAA Security Risk Analysis?
www.redspin.com
3
Increased Compliance Regulations and Stricter
Enforcement
Mandatory requirement under HIPAA Security Rule
Core requirement of EHR Meaningful Use Incentive
Program (both Stage 1 and Stage 2)
Ongoing Federal audit programs – OCR’s HIPAA Privacy
and Security Audits and CMS’ Meaningful Use Audits
State Attorneys General empowered to enforce HIPAA
7/30/20131-800-721-9177
4. www.redspin.com
4
Greater Risk of Breach of Protected Health
Information (PHI)
Implementation of electronic health records has increased
the likelihood of PHI data breach significantly
619 large breaches affecting ~22 million patient records
over past 3 ½ years
Explosion in mobile device use (smartphones, tablets) and
BYOD increases risk of loss, theft, and unauthorized access
Business Associates handling more electronic PHI
Why Conduct a HIPAA Security Risk Analysis?
7/30/20131-800-721-9177
5. www.redspin.com
5
More Potential for Damages
HIPAA-covered entities required to report and make public
any PHI breach involving > 500 records
The costs of a PHI breach have increased dramatically (civil
penalties, reparations, remediation, brand damage, legal
fees and punitive damages)
Why Conduct a HIPAA Security Risk Analysis?
7/30/20131-800-721-9177
6. What is a HIPAA Security Risk Analysis?
www.redspin.com
6
Purpose of a risk analysis is to identify:
Threats to the organization
Vulnerabilities internal and external to the organization
Consequences, impact, and harm to organizations that may
occur given the potential for threats exploiting vulnerabilities
Likelihood that harm will occur
7/30/20131-800-721-9177
7. What is a HIPAA Security Risk Analysis?
www.redspin.com
7
Scope of a risk analysis can include:
HIPAA gap analysis (policies, procedures, controls)
Network infrastructure security testing (vulnerability
assessment)
EHR and application risk assessment
Mobile device security (organization-issued and BYOD)
Business associate compliance review
Employee security awareness
7/30/20131-800-721-9177
8. HIPAA Security Risk Analysis – References
www.redspin.com
8
HIPAA Security Rule
164.308(a)(1)(ii)(A) Risk analysis (Required)
“Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health
information held by the covered entity or business
associate.”
7/30/20131-800-721-9177
9. HIPAA Security Risk Analysis – References
www.redspin.com
9
Meaningful Use Stage 1
“Conduct or review a security risk analysis in accordance
with the requirements under 45 CFR 164.308(a)(1) and
implement security updates as necessary and correct
identified security deficiencies as part of its risk management
process.”
7/30/20131-800-721-9177
10. HIPAA Security Risk Analysis – References
www.redspin.com
10
Meaningful Use Stage 2
“Conduct or review a security risk analysis in accordance
with the requirements under 45 CFR 164.308
(a)(1), including addressing the encryption/security of data at
rest and implement security updates as necessary and
correct identified security deficiencies as part of its risk
management process.”
7/30/20131-800-721-9177