(Editor’s Note: This article, drafted in 2010, remains relevant in 2015 for organizations seeking guidance for Stage 2 and Stage 3 of Meaningful Use. See also Security Risk Analysis Required for MU Stages 2 and 3 and Meaningful Use and the Evolution of Privacy and Security Objective.)
To achieve the holy grail of “meaningful use”, and to earn the incentive payments detailed in the HITECH Act, medical practices must perform a HIPAA-mandated computer security risk analysis — and use it. Physicians must attest to CMS that this step is completed before receiving their first year’s $10K+ installment of their incentive payment. What is a computer security risk analysis?
Many practices still have never completed a valid computer security risk analysis.
Let’s explore risk analysis theory, current practice, revenue potential, where to get help, and the relevant text from the Security rule itself.
The Security Rule Text
Conducting a Risk Analysis is one of the 20 mandatory “implementation specifications” in the HIPAA Security rule. Note that the terms “risk analysis” and “risk assessment” are used interchangeably. Here is the exact requirement:
(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
164.308(a)(1)(ii) (ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Scope includes more than confidentiality. It is important to note at the beginning that the security rule is about “confidentiality, integrity, and availability”. This is a crucial difference of scope between the security rule and the privacy rule. Particularly with the growth of EMR, the integrity and availability of information is specifically mandated. Losing vital medical records, or experiencing system downtime during a medical emergency, can literally be a life or death matter for patients.
Security Theory
The HIPAA Security rule does not require you to build a moat and castle around your practice!
Risk is not a bad thing – it is just one of the realities of life. The medical practice is NOT required to eliminate all risk and turn the office into Fort Knox. Rather, a security process will identify risks and vulnerabilities – and take steps to either transfer the risk, reduce it, or accept it. A specific example will illuminate this.
Example – malpractice risk. Doctors have always lived with the potential to make medical mistakes. This leads to big financial risks – a single malpractice award can exceed $20 Million, which would bankrupt even the wealthiest doctor. Setting aside any strong emotions associated with the issue of rising malpractice rates, let us explore the issue of dealing with risk. The doctor’s first step is to quantify their risk – which depends on what state they live in, their specialty, the procedures they perform, their case mix, the statistical likelihood of claims, the potential dollar awards, and the doctor’s personal financial position. The doctor then decides on one or more of the following:
- Transfer risk. The traditional method for dealing with malpractice risk is to transfer it – that is, buy malpractice insurance. Doctors are usually willing to pay a known amount to eliminate the possibility of a devastating financial outcome.
- Reduce risk. Doctors may take a number of steps to reduce risks. For example, they may attend carefully to their documentation; they may refuse to perform certain high risk procedures; they may practice “defensive” medicine – conducting extensive testing to rule out even highly unlikely conditions. These are all examples of techniques to reduce the likelihood of a malpractice award.
- Accept risk. Until recently, it was unheard of for a doctor to accept the risk of malpractice claims. However, the huge sums required for malpractice insurance – even for doctors who have never had a claim – are causing a change. Doctors are sometimes choosing to “go naked”, that is, practice without insurance. These doctors decide to accept the risk of an unlikely event.
In practice, many doctors choose a combination or all three of the above. For example, they may purchase a policy with a limited payout (say, $1 or $2 million) while accepting the risk of huge but very unlikely award. In addition, they can carefully document and follow other risk management guidelines to reduce the likelihood of claims. Of course, the doctors rely on specialists (insurance company risk managers and financial advisors) to help them with their analysis, choices, and risk management procedures.
The Medical Practice Advisor is often Challenged
Medical practices should first turn to their software and/or network support advisor for help. It would be useful to ask your vendor about experience with risk analysis, and their security training and any credentials such as the CISSP. It is very common, unfortunately, to discover that the computer support organizations have no experience with this type of activity. If this is the case, the practice is advised to find any help elsewhere.
Conducting a Risk Analysis
There are multiple well-established methodologies for risk analysis. While it is not the only approach which can be used, the preamble of HIPAA security rule cites National Institute for Standards and Technology (NIST) and specifically the NIST Risk Management Guide for Information Technology Systems.
While following this methodology, a number of medical practice differences must be considered. Clearly, the risks vary tremendously depending on the size, complexity, and sophistication of the practice. More specifically, here are a few of the variables which must be considered:
- Software – Using an EMR involves much higher risk than a practice management/billing system. A security breach could expose more information and system downtime can have an adverse effect on patient care.
- Internet connectivity – an always-on broadband connection involves more risk than either dial-up or no connectivity
- Size of practice – the larger and more complex the organization, the more risks are involved due to number of staff, the volume of activity in the office, the greater value of the computer assets (a large database with thousands of names and social security numbers has black-market value to identity thieves)
- Networking technology – the use of wireless networking and remote access introduces a significant array of risks.
- Portable computing – laptops, tablets/IPads, smartphones, and other handhelds may represent the single highest risk area due to the frequency of loss and theft. Are mobile devices encrypted? Is remote wiping capability included? Are LoJack or LoJack-like technologies employed?
- Patching discipline – the regimen and level of discipline employed to install security patches for Windows, database, virus protection, and application software is a factor
- E-mail use – is the doctor or staff using e-mail to communicate with patients or insurance companies? If so, how often? Is patient information included in the e-mail? Is an encrypted solution used?
- Patient Mix – physicians with celebrity or VIP patients may have greater risks of confidentiality breaches because of higher “market value” of the information
- Medical specialty – Mental health or plastic surgery specialists are likely to be concerned about confidentiality, while specialists such as cardiologists might be very concerned with availability of EMRs
- Human resource practices – are pre-employment background checks conducted, and is system access immediately blocked when employees terminate?
Other important inputs are best answered with help from by security experts. For example:
- What are likely threats? Who would want to breach the computer security – disgruntled insiders, “script kiddies”, motivated outsiders?
- What system vulnerabilities exist? How likely is it that these vulnerabilities will be exploited?
- What would the impact of various security breaches be?
The NIST process is a multi-step process which culminates in a document that identifies threats and vulnerabilities, includes an assessment of safeguards currently in place, quantifies the likelihood and impact of security failures, and concludes with recommended safeguards. Those interested in a sample format for the risk analysis report can download the NIST guideline and refer to Appendix B.
Required Documentation for Meaningful Use
Since the OIG has announced that part of their 2011 work plan is to verify the accuracy of any HITECH incentive payments made, practices will find that is prudent to document any findings in their compliance file. A formal risk assessment report — which for a small – medium sized practice would need be no longer than 4 – 10 pages in length — will provide the necessary proof that a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” has been conducted.
Using the Risk Analysis Report
Completing the Risk Assessment is the first part of meaningful use — in a subsequent post, we will explore the second requirement, that is to use the findings of the Risk Analysis as part of the practice’s ongoing Security Management Process.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
