Risk Analyses Must Include All Electronic PHI
Practices involved in legal cases were penalized for not having completed a comprehensive risk assessment.
This past spring, the Office for Civil Rights (OCR) within the US Department of Health and Human Services announced a settlement with Metro Community Provider Network, a Denver-based federally qualified health center. Metro Community reported a breach after 3200 patients' electronic protected health information (ePHI) was compromised in a phishing incident in 2012.
When OCR looked into the breach, it found the provider had taken corrective action, but the health center had not conducted a risk assessment until after the breach. The assessment also did not meet security rule requirements. The breach cost Metro Community $400,000, an amount OCR considered a reduced fine after taking into account the fact it treats low-income patients. This settlement is a hefty reminder that ePHI cannot be ignored. It must be included in a health organization's risk assessment, and that assessment has to be thorough.
Bob Chaput, founder and CEO of Clearwater Compliance, LLC, of Nashville, Tennessee, said ePHI breaches were involved in about three-quarters of all OCR corrective action cases to date. In most of those, practices were “dinged” for not having completed a comprehensive risk assessment. Providers can seek help from outside organizations or do a risk assessment internally. It consists of taking inventory of ePHI, looking at reasonably anticipated threats and vulnerabilities, assessing current controls, and analyzing potential risks.
Taking inventory of ePHI is the first and one of the most important steps in the process. According to HIPAA, any application, system or technology solution that creates, receives, maintains, or transmits ePHI should be risk-analyzed. Hardware and software falling under this umbrella can include computers, servers, networking equipment, mobile devices, copiers, medical devices, and fax machines. There has also been a push to increase the security of bio-medical devices because these devices can be used to “gain a foothold to crawl through the network,” said Andy Petrovich, Health IT and Security Risk Analyst with Altarum Institute's M-CEITA program in Ann Arbor, Michigan.
The information asset inventory should include, but not be limited to electronic medical records, practice management, billing, patient portals, and email. Voicemail systems, third-party backup services and closed-circuit TV should not be overlooked. Lastly, business associates with access to ePHI should be considered.
Following the inventory, practices should look for all the “bad things that can happen” to ePHI by:
- Considering threats and vulnerabilities to that ePHI
- Examining current controls in place to prevent bad things from happening
- Assessment the likelihood of the bad thing happening
- Assessing the impact were that to happen
- Determining the risk of such a specific bad thing to happen
Chaput said this process is likely going to be the most demanding that practices go through if they are working with an outside organization. If a practice is working with a contractor, it can also expect the contractor to request documentation of policies and procedures and any other assessments the practice has performed. Chaput said his team conducts on-site interviews to find out about all the current administrative, physical and technical controls the practice has already implemented.
An outside organization typically takes this information and completes a risk analysis. Chaput's team creates a “risk register” with a listing of the possible problems within the practice and a score based on the likelihood that problems might occur. They list potential problems from the most to the least egregious and offer ways to address these. It is then the practice's responsibility to review the recommendations and act on the findings.
Whether you work with outside organizations or do a risk assessment internally, the process should be driven by a security officer. Practices that do not have a security officer should designate one. This person does not function alone, however. Petrovich said anyone with decision-making authority should be directly involved with security.
A number of different tools are available to get through the risk assessment process. Petrovich noted that many resources are available, including a free online tool from the Office of the National Coordinator for Health Information Technology. The tool offers a guide to help complete a risk assessment, but practices should be aware that the process can be time consuming.
“Don't underestimate the level of time and thoughtfulness that has to go into this to make it meaningful and impactful for your organization,” he said. “It can't be done quickly, especially if you aren't accustomed to doing it.”
Practices can benefit from working with an external organization because it provides an outside perspective. Petrovich cautions, however, that no organization is “certified” to help with a risk assessment and no one can guarantee compliance. “A lot of people want a cut and dried answer about what to do on a risk assessment … but you never know you are compliant until you get investigated and OCR tells you,” Petrovich said. “That's really the only way to know.”