The HIPAA Security Rule and Risk Management
The Healthcare Insurance Portability and Accountability Act (HIPAA) is one of the more complex regulations in the U.S., due in no small part to the complicated and open-ended nature of the law.
What should companies do? In this case, covered organizations are turning to risk-based assessments to help them support their security approaches.
Here, we will discuss how risk plays a role in the rule of HIPAA law.
What Is the HIPAA Security Rule?
HIPAA regulations are built around specific “rules,” each of which provides some sort of language, guidance or requirements for how Covered Entities (C.E.s) and Business Associates (B.A.s) protect patient data. Under HIPAA, these responsibilities include hospitals, doctor’s offices, healthcare clearinghouses, insurance companies and any associated service provider managing patient information for these parties.
The second major rule within HIPAA, and perhaps most focused on protecting patient information, is the Security Rule. More specifically, the Security rule protects electronic Protected Health Information (ePHI) created, processed, transmitted or stored by C.E.s and B.A.s in healthcare.
Under the Security Rule, these organizations must take specific steps to protect patient information, including:
- Ensuring the “confidentiality, integrity, and availability” of ePHI in their I.T. system.
- “Identify and protect” against threats with a reasonable degree of anticipation–pursuing and enacting security measures that reasonably protect against relevant, modern cyber threats.
- Identify and protect against “reasonably anticipated, impermissible uses or disclosures” of ePHI.
- Enact administrative programs to ensure workplace compliance.
It’s important to note that the Security Rule does not explicitly dictate any security technologies or practices that an organization should enact. Instead, it directs the organizations to consider:
- Its own size, capabilities and complexity
- Its own technical infrastructure
- Associated costs of appropriate security measures, and
- How likely and damaging a potential breach of ePHI will be.
The reasoning provided by the regulations is that C.E.s and B.A.s are diverse, complexity and ability to marshal resources. Following this, the logic is that these organizations are best positioned to determine their own security needs.
A secondary reason is that threats and vulnerabilities evolve so fast that specifying concrete security technologies or encryption algorithms can cause the regulation to run one step behind attackers in the outside world eternally.
How Does the Security Rule Define Risk Management?
With the loose and self-assessed aspects of the Security Rule front and center, it makes sense that it also discusses risk management.
In its broadest sense, the discipline of risk management allows organizations to recognize critical security gaps in their practices and infrastructure and how those gaps render their organization vulnerable to attack. Additionally, risk management also provides a framework for IT and business decision-makers in your organization to best measure those vulnerability risks against compliance, operational and financial goals.
Perhaps most importantly, risk management is an important step in gaining comprehensive knowledge about your IT systems and how to align them with the previously-stated goals.
Under the “Administrative Safeguards” provision of HIPAA and the security rule, C.E.s and B.A.s must perform risk analysis that includes the following aspects:
- Evaluating likelihood and impact of risks to ePHI contained in infrastructure.
- Implementing security measures derived from the assessment and evaluation of risk results.
- Documenting security measures with a rationale for implementation grounded in risk assessment.
- Maintaining continuous monitoring of protocols for any potential updates or needed remediation.
Much like the security requirements stated (or left unstated), risk management approaches are equally vague and open-ended. However, you can get some insight by referring to the associated regulatory document, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” also known as NIST Special Publication 800-66 into this level of risk assessment.
Long story short, NIST 800-66 refers organizations to the NIST Risk Management Framework (RMF) as a model for pursuing risk as an approach to security. While the entirety of the RMF is beyond the scope of this article, it suffices to say that there are several steps recommended by RMF documentation under which more specific practices emerge.
These steps include:
- Categorize Information Systems: At this stage, your organization should identify and catalog Its systems and arrange them by the criticality of the information they will store, transmit or process. This should be weighed against any security or compliance requirements therein.
- Select Security Controls: You must then select the appropriate controls necessary to address those systems based on IT systems and security controls. The selection process should be informed by regulations, industry, business goals and operational needs.
- Implement Security Controls: Simply put, to put into practice the selected controls in appropriate ways.
- Assess Security Controls: Once controls are implemented, you must assess your implementation to ensure that these controls are functioning correctly within the parameters outlined in your risk assessment.
- Authorize Security Controls: This step is a bit hazy, but for the most part, it means authorizing the impact of those systems and decision-making around them to the executives, managers and controlling parties that should have input into their continued operation.
- Monitor Security State: Continuously assess the operation of these controls within the infrastructure and in relation to any relevant business, compliance or operational demands. This will also include responding to security incidents, remediating issues and updating controls.
Foregrounding Risk with HIPAA Compliance
Working with HIPAA regulations is about just figuring out the right security controls and checking a checklist. Inappropriate implementation of controls can lead to the unauthorized disclosure of ePHI, leading to major fines and lawsuits far beyond the cost of digging into compliance as a cost of doing business.
One of the best ways to move forward with HIPAA compliance, or cybersecurity, is to consider risk and governance as critical parts of your business. The first step is to work with a provider that foregrounds those concerns.
Continuum GRC provides a cloud-based, automated visualization tool to help you align governance, risk and compliance into a single stream of control.
To learn more about GRC and HIPAA, contact us today.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.