BLOG

Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQs

What is a security risk assessment?

According to the National Institute of Standards and Technology (NIST) Special Publication 800-39, a security risk assessment is “the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.” [1]

In the context of the healthcare industry, a security risk assessment typically refers to an enterprise-wide assessment of the potential threats to sensitive information and systems including PHI. A healthcare security risk assessment includes an evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information and systems. A security risk assessment also assesses an organization’s capabilities for preventing, detecting, and responding to cyberattacks.

Based on Meditology’s experience having conducting hundreds of healthcare security risk assessment engagements, a security risk assessment should address the following considerations at a minimum:

  1. Sensitive information discovery: where is our patient information and other sensitive information (e.g. PHI, credit card data, intellectual property, financial information)?
  2. Threats actors: who are the bad guys and how likely are they to interact with our environment?
  3. Threat vectors: what are the bad things that can happen and how likely are they to occur?
  4. Vulnerabilities: how exposed are we and what weaknesses or security holes exist in our environment?
  5. Impact analysis: if we have a bad day, how bad of a day will it be?
  6. Risk determination: what are the most pressing areas we need to address?
  7. Corrective action planning: how do we fix what we found?

Refer to the following related resources for more information on each of these areas:
BLOG POST | HIPAA Security Risk Analysis Fundamentals: Industry Tested, OCR Approved
WEBINAR REPLAY | HIPAA Risk Analysis Fundamentals: Industry Tested, OCR Approved

Is a security risk assessment the same as a HIPAA security risk analysis?

Yes. The terms security risk assessment and HIPAA security risk analysis are synonymous. The term HIPAA security risk analysis derives from the HIPAA Security Rule and generally refers to the provision in the Risk Analysis Implementation Specification of the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).

Are healthcare organizations required to perform a security risk assessment?

Yes. Risk analysis is one of four required implementation specifications in the Security Management Process section of the HIPAA Security Rule.  The rule requires covered entities to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

The Security Rule does not prescribe any specific methodology for conducting a risk analysis, but OCR and HHS have issued guidance that provides definitions and refers to applicable standards such as NIST 800-66 and NIST 800-30.

What is the typical process for conducting a healthcare security risk assessment?

Enterprise-wide security risk assessment methodologies usually include a review of technical, physical, and administrative security controls and processes.

Data collection for conducting a security risk assessment is typically acquired through a combination of interviews, surveys, technical assessments, physical inspection or walk-throughs of facilities, and the collection and review of supporting evidence and documentation.

Standard audit methodologies should be employed using a “trust but verify” mentality to validate that assumptions about the state of security controls implementation are supported with evidence, documentation, and technical testing.

What security control frameworks are typically used for healthcare security risk assessments?

The most highly adopted security controls standard frameworks for healthcare entities are the HITRUST Common Security Framework (HITRUST CSF), the NIST Cybersecurity Framework (NIST CsF), and NIST SP 800-53.

How long does a security risk assessment typically take to complete?

For mid-sized to large healthcare organizations, an enterprise security risk assessment usually takes between 6 to 12 weeks from project initiation through to executive reporting. Smaller organizations typically take between 3 to 6 weeks to complete a security risk assessment.

Is HIPAA Security Risk Analysis the same as HIPAA Security Risk Management as defined in the HIPAA Security Rule?

No. HIPAA Security Risk Analysis is one of the components of the HIPAA Security Risk Management process. The HIPAA Security Risk Management process typically begins with one or more security risk assessments.

More specifically, risk management is a foundational provision of the Security Management section of the Security Rule. The provision requires covered entities to “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [(the General Requirements of the Security Rule)].”

Risk management activities should include the development of a risk management plan and supporting procedures that are informed by the risk analysis. A risk management plan defines how risk is managed for the covered entity, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and the workforce members’ roles in risk management processes. The security risk management plan should also include considerations for categorizing information systems based on criticality, selecting which security standards and controls will be applied, processes for implementing the plan, requirements for conducting ongoing risk analyses, business communication and approval processes for identified risks, and the ongoing tracking and monitoring of risks and associated corrective actions.

The results of a healthcare entity’s security risk analysis and security risk management processes serve as the starting point for the selection and implementation of organizational initiatives to protect patient information. Decisions for prioritizing and investing in security protections should be initially focused on the highest risk areas identified through risk management processes. Once critical and high-risk areas are addressed, more moderate risk areas should then be targeted for mitigation.

Financial and human capital resources for healthcare entities are finite. Healthcare providers must balance investments in security and compliance with competing priorities for resources and funding required to support the core business including investments in medical devices and innovative technology, physicians, nurses, technology, facilities, and more.

How often should healthcare organizations conduct a security risk assessment?

Based on Meditology’s experience, the vast majority of healthcare entities conduct an enterprise-wide security risk assessment on an annual basis and maintain routine risk assessment processes on an ongoing basis. Healthcare organizations use a variety of reporting and tracking capabilities to manage and report security risk assessment and corrective actions including, but not limited to, risk registers, Governance, Risk, and Compliance (GRC) tools, and risk tracking spreadsheets.

OCR does not mandate a specific frequency for HIPAA security risk assessments (a.k.a. HIPAA  Security Risk Analysis). According to OCR, “The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.” [2]

What should be included in the scope for a healthcare security risk assessment?

A security risk assessment should seek to identify all locations and functions where sensitive information including PHI is created, received, maintained, or transmitted by the organization. This includes internal applications and systems, devices, paper records, and patient information shared with third-party organizations. It also should include all physical facilities and locations where PHI is stored or managed. This may include clinical inpatient and outpatient settings, administrative offices, and other owned or managed facilities. Note: a sampling methodology and selection of a representative sample of different types of facilities is acceptable and appropriate for organizations with a high volume of physical locations.

Organizations that fail to identify and assess all locations where ePHI resides can introduce blind spots for risk exposures and significantly increase the probability of breach events. A risk analysis that only considers a subset of facilities and assets provides an incomplete view of organizational risk, making it difficult, if not impossible, to effectively safeguard patient information throughout the enterprise. See our related infographic for more information: Check Your Blind Spots with Security & Privacy Risk Assessments.

Example locations where PHI is commonly stored and managed by healthcare entities:

  • Databases
  • Servers
  • Endpoints
  • Removable Media (e.g. USBs)
  • Backups
  • Email
  • Printers/Paper/File Drawers
  • Mobile Devices (e.g. Laptops, Tablets, & Phones)
  • Web Portals
  • IoT & Medical Devices
  • Third-party Vendors and Hosted Solutions
Does my organization need to assess every individual asset in our environment as part of a security risk assessment?

No. The scope of a security risk assessment should consider all assets and locations where patient information resides. However, standard sampling methodologies are often used to assess a representative sample of assets and applications. Sampling can be used to assess the effectiveness of security controls applied across the enterprise rather than conducting exhaustive risk assessments of each and every piece of equipment in the organization that stores or transmits patient information.

Is a third party required to perform a security risk assessment?

Large healthcare organizations commonly hire third-party security risk assessment firms to conduct their security risk assessment and HIPAA security risk analysis initiatives, though some organizations use internal resources to conduct their security risk assessments.

Does a security certification like SOC 2 Type II, HITRUST CSF, or ISO count as a security risk assessment?

No. A SOC 2 Type II report provides an attestation of the current state of security controls in alignment with SOC 2 trust principles but does not provide a perspective on organizational risk calculus as defined earlier in this FAQ. Similarly, HITRUST and ISO certifications validate that an organization has implemented a minimum threshold of implementation of security controls but are not designed to serve as risk management frameworks or reporting mechanisms.

However, some healthcare organizations will combine their efforts to obtain security certifications with their security risk assessment initiatives to gain operational efficiencies. For example, interviews and evidence / documentation collection can often be accomplished in parallel for both certification and security risk assessment purposes.

What tools and technologies can be used to support security risk assessments?

There are several technology options available for organizations to support the completion of their security risk assessments.

This is not an exhaustive list, but some examples include:

Do vendors and business associates need to be included in security risk assessments?

Yes. Vendors and third-party platforms that store or manage PHI on behalf of the organization should be evaluated from a security risk perspective. This is often achieved as an ongoing business function aligned with the procurement and oversight of vendors. Security risk assessments should include an evaluation of the scope and effectiveness of vendor security risk management processes for the healthcare entity.

Do vendors and business associates need to perform security risk assessments?

Yes. Business associates that store or manage PHI are required to comply with the HIPAA Security Rule, including the HIPAA Risk Analysis and Risk Management requirements.

Is a penetration test required for a security risk assessment?

Not necessarily. Technical testing including penetration testing does not have to be included in a security risk analysis. However, it is highly recommended that healthcare organizations periodically assess and validate that their security controls are implemented correctly and operating effectively via technical security testing. A security risk assessment will often take into consideration any technical testing including penetration tests that the organization has conducted. If organizations have not conducted a penetration test within the prior 12-18 months, then a penetration test is recommended to be included in enterprise security risk assessment activities.

Is vulnerability scanning required for a security risk assessment?

Not necessarily. Healthcare organizations should maintain tools and processes for conducting routine vulnerability scans of their internal and external environments. A security risk assessment should evaluate whether or not the organization’s vulnerability and patch management process is operating effectively. If vulnerability scanning has not been performed within 6 months at the time of the security risk assessment, then it is recommended that vulnerability scanning be included in the security risk assessment process.

What are common supplementary “deep dive” security risk assessments that are common to healthcare?

Healthcare organizations will often conduct more thorough “deep dive” security risk assessments for areas of high-risk or vulnerability. Common examples of deep dive healthcare security risk assessments include:

  • Medical device security risk assessments
  • Cloud security risk assessments
  • PCI payment card compliance and security risk assessments
  • Penetration testing assessments
  • Application security risk assessments
  • Electronic health records security risk assessments
  • Ransomware security risk assessments
  • Third-party vendor security risk assessments
  • On-site audits and physical security assessments
What are the differences between a security risk assessment and a privacy risk assessment?

Healthcare security risk assessments include an evaluation of cybersecurity standards and regulations including the HIPAA Security Rule, NIST, HITRUST, or similar frameworks.

Healthcare privacy risk assessments, on the other hand, include an evaluation of privacy practices as defined in the HIPAA Privacy Rule. HIPAA privacy risk assessments typically include a review of policies, procedures, and implementation of privacy practices for the organization.

Is a HIPAA compliance review or gap assessment the same as a HIPAA Security Risk Analysis?

No. A HIPAA Security Rule “gap analysis” evaluates the organization’s compliance with specific provisions of the regulation. A gap analysis is separate and distinct from the HIPAA risk analysis requirement as defined in the rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).

Completing a gap analysis helps to address a separate provision of the HIPAA Security Rule related to evaluating compliance with the rule on a periodic basis. This specific provision is 45 C.F.R. § 164.308(a)(8) “Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.”

Are small organizations exempt from the requirement to perform a security risk assessment?

No. All healthcare entities must conduct a security risk assessment (a.k.a. HIPAA security risk analysis) regardless of their size.

The size of the organization, however, may play a limiting factor in the extent to which the entity is able to invest in security technologies, resources, and processes. A small community physician practice, for example, may not have sufficient capabilities to support the acquisition and implementation of cutting-edge security tools and a team of dedicated security and compliance personnel. Such small organizations may instead opt to rely on more manual security processes and outsource support for their IT and security programs. Larger organizations, however, typically employ a dedicated team of security and compliance professionals and allocate annual budgets dedicated to security and HIPAA compliance initiatives.

Does a separate security risk assessment need to be completed to satisfy CMS compliance with Meaningful Use (MU) and Performance Improvement (PI) criteria?

No. The CMS compliance rules require healthcare organizations to complete a security risk analysis as defined in the HIPAA Security Rule and discussed earlier in this FAQ.

The scope of the security risk assessment must include all systems and locations where PHI is accessed and managed, not just the certified Electronic Health Record. There is a common misconception in the industry that CMS requires a separate security risk assessment that is limited only to the EHR environment.

What industry resources are available to find out more about healthcare security risk assessment and HIPAA security risk analysis requirements?

OCR, CMS, and HIPAA.

To help guide regulated entities to comply with security risk assessment requirements, HHS, Office for Civil Rights (OCR), and the Centers for Medicare and Medicaid Services (CMS) have published a wide range of guidance and reference material since the introduction of the HIPAA Security Rule in 2003.

Guidance for conducting risk analyses and developing risk management programs, evaluating addressable standards, and other HIPAA compliance topics has been consistently published since the introduction of the HIPAA Security Rule. Guidance has included online resources such as frequently asked questions (FAQs), in person trainings and seminars, conference presentations, workshops, and other events and publications. HHS, OCR, and CMS have also directed regulated entities to resources related to other security standards and regulations including National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC).

Some examples:

Contact our team here at Meditology to learn more about healthcare security risk assessment services and advisory capabilities. We are glad to answer any questions you have about security risk assessments, HIPAA compliance, or other cybersecurity and privacy matters.


RESOURCES

[1] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
[2] https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?language=es

Most Recent Posts
HITRUST is Shaking Things Up: Details for the New HITRUST i1 Certification and bC Assessment Read More
Take a Pen Test Pill: Inoculation for Ransomware Read More
Healthcare Virtual CISO Success Factors Read More