While you hear about the occasional breach of Protected Health Information (PHI) from large organizations, smaller medical offices often believe they are safe from a breach due to their size. When it comes to cybercrime, that is no longer the case. In fact, over three million patient records were compromised in 2017 across the medical industry, and small practices were breached, hacked, and ransomed just like the larger healthcare organizations.
A Growing Trend
The Office of Civil Rights (OCR) shows there is an upward trend in data breaches since they first published summaries of healthcare data breaches in 2009. Between 2009 and 2018, there have been 2,546 data breaches that involve more than 500 patient records. These breaches have resulted in the exposure of 189,945,874 patient records, which is more than 59% of the population of the United States.
The loss or theft of PHI were the top causes of data breaches from 2009 and 2015. These breaches could easily be prevented with device encryption, strong physical safeguard policies, along with annual staff training. The current statistics show that hacking/IT incidents have been the top causes of data breaches, which is why it’s important to discuss conducting a risk analysis with your IT team.
What is a Risk Analysis?
In an effort to prevent these breaches of PHI, the HIPAA Security Rule requires that all covered entities must perform a risk analysis and implement a risk management plan. This regulation is outlined in 164.308(a)(1)(ii)(A) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the [organization]”.
A completed risk analysis will provide your practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of ePHI within your organization. Risk analysis also helps practices assess and mitigate risks to the security of PHI.
Components of a Risk Analysis
A risk analysis contains a detailed look at an organization’s administrative, physical, and technical security measures utilized to protect PHI.
- Administrative Safeguards: includes an organization’s current policies and procedures used to protect PHI. This includes current security-related policies and procedures, a contingency plan, staff training policies and procedures, Business Associate Agreements, and user access to ePHI.
- Physical Safeguards: current controls that limit access to PHI such as the facility security plan, visitor controls, media disposal, and remote access procedures.
- Technical Safeguards: includes passwords and inactivity timeout settings, data storage, backup plans, and disaster recovery procedures along with encryption for PHI when necessary.
Goals for Risk Analysis
- Identify how and where PHI is stored and sent: During a risk analysis, practices must determine where ePHI is stored, received, maintained, or transmitted, and should also maintain documentation of the inventory.
- Identify threats and vulnerabilities: Practices must also identify potential threats and vulnerabilities within their organization, whether those threats are from internal sources such as untrained employees, environmental such as a flood or fire, or an adversarial threat such as a hacker trying to access PHI.
- Determine likelihood, impact, and risk level: Once vulnerabilities are identified, practices must determine the likelihood and level of impact from each identified threat by considering how many people and how much data may be affected. The risk level is determined by taking this into account for each vulnerability.
- Implement security measures: Practices will then need to implement reasonable security measures to protect PHI from those identified threats. The HIPAA Security Rule allows practices to tailor security policies, procedures, and technologies for safeguarding PHI based on the size, complexity, and capabilities of the practice, as well as technical, hardware, and software infrastructure.
Why Complete a Risk Analysis
A completed Risk Analysis will help your practice identify vulnerabilities within your organization that could lead to a data breach or loss of PHI. This assessment is the first step to ensuring compliance with the HIPAA Security Rule, attesting to government incentive programs, and ensuring the security of PHI within your organization.
Don’t allow your organization to fall behind, complete a risk analysis today to ensure your organization is in compliance.