Since its creation, the Health Insurance Portability and Accountability Act (HIPAA) has served as a pillar of the American healthcare system, aiming to protect the privacy, security and integrity of protected health information (PHI). For the various organizations that manage PHI, the regulation has been notoriously difficult to adhere to, requiring specific security, network, and process measures to protect sensitive information. 

To ensure that these organizations comply, the HIPAA Security Rule requires all eligible organizations and third parties to conduct a security risk assessment on electronic PHI (ePHI). But as the healthcare industry continues to increasingly rely on technology, it is also putting ePHI at greater risk of data breaches and unauthorized access. Now, more than ever, organizations need to be conducting security risk assessments that reveal the strength and vulnerabilities of the network. Here’s some helpful tips for conducting an accurate security risk assessment:

3 Tips for Conducting an Accurate HIPAA Security Risk Assessment

1. Understand Security Risk Assessment Requirements 

To conduct a proper security risk assessment, organizations must leave no stone left unturned, and while there is no set list of steps, the nature of the healthcare industry means that ePHI is shared between multiple touchpoints, organizations and personnel, leaving it vulnerable. Before organizations can successfully evaluate the risks in their environments, they must understand the varying assessment requirements, including: 

  • Scope of the Analysis: All ePHI created, maintained, received, maintained or transmitted by an organization is subject to the Security Rule, including all forms of electronic media (hard drives, floppy disks, CDs, etc.) or other storage devices.
    • Data Collection: Organizations are required to identify where ePHI is stored, received, maintained or transmitted. The processing and gathering of this data must be documented and indicate how it was captured.
  • Assess Current Security Measures: Organizations are responsible for how third party entities handle their ePHI, as a result of this they should assess and document current security measures and their effectiveness. 
  • Determine the Likelihood of Threat Occurrence: Unfortunately, the risk of data breach will never be zero percent, therefore the Security Rule requires organizations to determine the probability of potential risks. 
  • Determine the Potential Impact of Threat Occurrence: In addition to determining the probability of potential risks, organizations must measure the potential impact of a breach. This includes the impact an occurrence would have on the confidentiality, integrity and availability of ePHI.
  • Determine the Level of Risk: Once the likelihood and impact have been determined, organizations can develop an overall level of risk based on overall severity to patients. The level of risk should also include a list of actions to mitigate risk
  • Final Documentation: Organizations should document the entire risk assessment process. This documentation serves as the proof that risk assessment has been conducted.

Once you have determined what information you will need for a successful security risk assessment, organizations should aim to review and update the scope as necessary. 

2. Create an Action Plan

Much like conducting a regularly scheduled data discovery sweep, security risk assessments are not a one time process. The most successful organizations have an action plan in place that addresses evolving security needs. 

The first step for any organization is determining how regularly they will be conducting security risk assessments. The size of the organization and the amount of PHI it manages will ultimately determine the cadence of risk assessments — a good best practice is to assess the network once a quarter. Other questions to consider include:

  • Who will be responsible for managing security risk assessments?
  • How will they be evaluated and what KPIs are they tracking against?
  • Are there any areas at immediate risk? 

These questions only scratch the surface of what organizations should know about HIPAA compliance, but once you have determined the scope of the analysis and have an action plan in place, it is time to conduct a security risk assessment.

3. Use a Security Risk Assessment Tool

There are several resources and tools for organizations looking to conduct a security risk assessment, including the Security Risk Assessment (SRA) Tool to help guide the process. Developed by the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), the SRA Tool is a downloadable tool designed to help healthcare providers conduct a security risk assessment. 

Ground Labs’ Enterprise Recon for HIPAA Compliance Needs

At Ground Labs, our core focus has always been on developing technology that meets the increasing challenges of data management and regulatory compliance through our comprehensive and trusted solutions to confidently mitigate risk and find PHI. With Enterprise Recon 2.1, the latest version of our award-winning solution, organizations can find and remediate sensitive information across a range of structured and unstructured data. Whether information is stored on servers, employee devices, or in the cloud, Enterprise Recon, powered by GLASS™ Technology, enables the quickest and most accurate and seamless data discovery. 

Enterprise Recon comes pre-configured with HIPAA PII patterns and can be configured to capture other common types of HIPAA-sensitive data like credit card numbers and email addresses. With Enterprise Recon’s powerful remediation capabilities, you can take the Safe Harbor de-identification approach by masking sensitive PHI from the web console, or encrypting data at rest. Enterprise Recon allows your organization to operate efficiently with these compliance abiding features: 

  • Identifying more than 300 data types including predefined and variants
  • Data Remediation
  • InterSystems Cache support
  • OCR and Audio Scanning
  • API Framework
  • Custom BI Reporting API
  • Investigate Page for deeper-level browsing
  • Data Classification
  • Delegated Remediation
  • Risk Scoring

The healthcare sector is rapidly adjusting to a number of market forces including the proliferation of technology, and as the amount of data created in the healthcare setting continues to grow, HIPAA compliance will become more challenging. As organizations look to anticipate and mitigate security risks before they occur, conducting regular security risk assessments is the next step in creating a more secure healthcare environment. Get on track with Enterprise Recon. 

Ready to learn more about how to maintain HIPAA compliance with Enterprise Recon? Schedule a demo today.

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe