HIPAA Computer Security Risk Analysis

The HIPAA Computer Security Risk Analysis is mandatory requirements of the HIPAA Security rule. The rule states that a Computer Security Risk Analysis should be completed periodically and that deficiencies should be corrected. Although a Risk Analysis can take many forms, we at Eagle believe that it is important to do a detailed review of the security and procedures in place for our Clients to ensure that they are not only compliant, but that they are protected from loss or breach of data. Although the Risk Analyses we provide at Eagle are comprehensive, we utilize customized procedures based on the type of client we are working with.

The Computer Security Risk Analysis is also an essential part of the Privacy and Security Objective of Meaningful Use. Eagle provides Risk Analysis services to meet this objective.

For this risk analysis, Eagle uses the methodology specified in NIST SP 800-30, which is the only approach explicitly mentioned in the HIPAA Security rule as an appropriate.

For smaller practices, this risk analysis can be conducted remotely.  For larger practices, an on-site review is recommended.

This assessment is required by the modified Stage 2 Meaningful Use, for the Privacy and Security Objective #1. The new Advancing Care Information Performance Category of the Merit-based Incentive Payment System (MIPS) replaces Stage 2 Meaningful Use in 2017. However, the performance category retains the Protecting Patient Health Information Objective that requires a risk analysis.

The Meaningful Use requirement also discusses a Security Management Process. Simply put, the “Security Management Process” consists of the following:  A) Conduct a risk analysis, B) Implement security fixes to correct deficiencies, and C) Repeat.  To fulfill the Meaningful Use requirement, you must do both A and B.

The EHR software you purchased, and its “Meaningful Use Dashboard”  shows no details about this objective since the software has no way of knowing if you meet the requirements of this objective.

For more information regarding the risk analysis and the HIPAA requirements, see posts Achieving Meaningful Use Stage 1 for Privacy and Security and 45 CFR 164.308(a)(1), 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3) Explained.

By choosing Eagle’s service, physicians can attest with confidence, without worry in the event that the physician is selected for a government meaningful use audit.

Eagle Consulting assists hospitals and large physician practices with the Privacy and Security objective for Meaningful Use Stage 2.  This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.

The fundamental purpose for implementing internal controls is to mitigate risk to an acceptable level within the organization.  This assessment is based on the controls specific to the HIPAA Security Rule as they relate to the hospital’s business goals and objectives, and the perceived threats.  Our unique assessment measures both compliance to controls and the level of risk that exists as it relates to IT threats,  existing vulnerabilities, and the probability that these vulnerabilities will be exploited.

Engagement Process

Discovery.  After identifying key participants from the hospital organization, a custom assessment workbook is prepared for each participant.  The workbook includes all of HIPAA Security’s 42 implementation specifications, plus additional 25 controls from the ISO 27002 framework, and controls from the Council on CyberSecurity Top 20 Security Controls.  Conducting an effective risk analysis for a larger organization requires a more comprehensive and granular framework such as ISO 27002.  Select controls from the SANS Top 20 are also evaluated because these high-priority controls are absent from HIPAA.  Conducting an appropriate risk analysis requires evaluation of the controls that matter.

Testing.  Existing security controls will be evaluated, including any previously completed penetration testing and vulnerability scanning.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Site Review. An on-site assessment is included, with a walk through of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Advisory Services.  The meaningful use objective requires that the hospital address deficiencies identified as part of its ongoing Security Management Process.   Eagle offers a 1 year retainer arrangement to serve as a resource for the hospital’s IT management team for implementation of our recommendations.  In addition, a variety of services are available to assist with corrective action.

A multi-year discount arrangement is offered.  The Stage 2 Meaningful Use guidelines clarify that risk assessments should be conducted annually.

Eagle Consulting assists Business Associates with the HIPAA Risk Analysis required by the HIPAA Security Rule.  This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.  A graphic illustration of the Security Management Process shows the multiple steps to create a detailed Security Risk Analysis.

When dealing with hospitals, physician practices or insurance companies, a standard framework can be used because the business processes of these entities are generally understood at the onset.  However, there is tremendous variety of Business Associates with vastly different business processes, for example:

  • Billing services are focused on healthcare and maintain billing and/or electronic records with access to records of a few practices of to records of hundreds of organizations
  • Consulting firms or attorneys may send consultants or attorneys on site at hospitals but never store any electronic PHI on their own systems
  • Medical software authors/resellers may have extensive teams of software developers, and customers may expect that the code is secure.  These organizations may process PHI on a limited basis for data conversions but otherwise keep no PHI.  And, these organizations may maintain electronic access to their client’s systems.
  • A direct mail mailing house may service a wide variety of industries and from time-to-time handle a large hospital’s mailings to patients

Further, a business associates may range from a small organization with a few people to a national organization with hundreds of locations and tens of thousands of employees.  Because of this wide range, an initial discovery phase is necessary as part of the risk analysis process.

Engagement & Eagle Solution Process

Discovery and Control Selection.  The first step is to understand the business processes of the Business Associate, to identify the electronic PHI that it maintains, and to briefly understand the existing controls in place.  Based on the business processes, Eagle identifies the controls that are most appropriate.    The selection process involves reviewing appropriate controls not only from the HIPAA Implementation Specifications, but also from the more comprehensive and granular framework, ISO 27002.  In addition, Eagle reviews relevant controls from the Council on CyberSecurity’s Top 20 Security Controls because some of these high-priority controls are absent from HIPAA.  The deliverable from this step is a list of controls that we

Control Review and Testing.  Using the controls identified above, existing controls will be reviewed in more detail with gaps and deficiencies identified.  Any previous evaluations, such as penetration testing and vulnerability scans, will be reviewed.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Impact Assessment.  Based on an understanding of the quantity of ePHI involved, the nature of the organization, and the reliance on information technology for daily operations, the impact of various failures will be estimated.  Failures evaluated will include data breach, system downtime, and data integrity failures.

Site Review. An on-site assessment is included, with a walk through of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Remediation Support.  As a follow-up to the risk analysis, a variety of services are available to assist with corrective action.

Eagle Consulting Partners specializes in helping Ohio Governmental Agencies comply with HIPAA and other applicable Privacy and Security regulations. Eagle has worked with Public Health Departments, County Agencies and Government Organizations Associations to provide support for HIPAA and other privacy laws.

For over 15 years, Eagle has been at the forefront of serving Ohio County Boards of Developmental Disabilities in creating procedures to protect computer data security and client privacy. Eagle has experience working with GateKeeper, Intellivue, as well as other software used by county boards to provide services.

The process for the Risk Analysis is as follows:

Discovery.  After identifying key participants from the organization, a custom assessment workbook is prepared for each participant.  The workbook includes all of HIPAA Security’s 42 implementation specifications, plus additional 25 controls from the ISO 27002 framework, and controls from the Council on CyberSecurity Top 20 Security Controls.  Conducting an effective risk analysis for a larger organization requires a more comprehensive and granular framework such as ISO 27002.  Select controls from the SANS Top 20 are also evaluated because these high-priority controls are absent from HIPAA.  Conducting an appropriate risk analysis requires evaluation of the controls that matter. This process includes reviews Policies & Procedures manuals for compliance with state and federal regulations.

Testing.  Existing security controls will be evaluated, including any previously completed penetration testing and vulnerability scanning.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Site Review. An on-site assessment is included, with a walk through of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Eagle Healthcare Consultants
Eagle has a long experience in successful risk assessment and solutions for healthcare providers

No. of HIPAA Compliance Cases with Corrective Action from HHS (source: HHS.gov)

Experienced Eagle Analysis & Solutions:

1) Identify all computer hardware, software and patient data (PHI).  This involves quantifying the location, type and quantity of patient data.

2) Evaluate technical security capabilities in place, such as passwords, encryption, firewalls and audit logging, usually based on interviews with computer support personnel.  For larger practices and networks, a vulnerability scan can be performed.

3) Review administrative processes in place, such as employee background checks, employee termination procedures and employee discipline.

4) Prepare risk analysis report, which includes commentary for all 42 HIPAA Security implementation specifications with corresponding risk levels based on security measures and prioritized for corrective action recommendations.

Pin It on Pinterest