What Is a Security Risk Assessment?
Protecting important data can be a daunting task. Everything is connected in this age of big data warehousing, cloud storage and smart phones. Each new advancement in technology widens the gaps that allow cybercriminals to penetrate networks; but hackers are not the only problems we face today. A poorly configured router or server can expose data to the public without any help from a hacker. Staff members can accidentally leak data by connecting to networks with personal devices or leaving their computers unattended without locking the screen. Poorly chosen passwords weaken the armor surrounding data. The list of ways data can be leaked or stolen is vast.
In the healthcare realm, protecting your network and data is the law. Protecting PHI and ePHI requires many safeguards including strong password protection and strict adherence to policies governing the handling of PHI and ePHI to mention a few. Every possible step must be taken to ensure a patient’s information is not compromised.
A periodic Security Risk Assessment (SRA) will simplify the tangled mess of policies and highlight the gaps. A SRA is required by the Health Insurance Portability and Accountability Act (HIPAA) to meet compliance standards, but it is also an invaluable guide to ensure you are being a responsible data steward.
Conquering a problem or managing information should always begin with an assessment of what is working, what is not working and what is missing. Once you have an answer to all three, solving the problem, or identifying problems, becomes much easier.
The Core of A Security Risk Assessment
The long definition of a SRA is it’s an evaluation of the Administrative, Physical, and Technical processes you use to protect PHI and ePHI, but there are technically five parts:
- Technical safeguards – digital measures to protect PHI
- Physical safeguards – locked doors, secured computers, etc.
- Administrative safeguards – the policies and procedures that govern it all
- Policy and Procedures requirements – all the written processes
- Breach notification requirements – response guidelines
Policy and procedures requirements and breach notification requirements would technically apply to the administrative, technical and physical sections at the same time. A breach could occur at a physical location such as a workstation or from the outside via your network at the same workstation (technical). It’s easier to assemble the SRA if you look at it this way during the assessments.
Where Will I Benefit from a Security Risk Assessment?
Every aspect of your policies and procedures related to protecting PHI and ePHI will benefit from a SRA. That is a bold statement, but a true statement. Any weak points in your data security will be brought to light by a SRA including safety and security measures pertaining to:
- Network architecture and infrastructure
- Data storage measures
- Protocols and network services
- Security systems and network monitoring programs
- Website information
- Physical assets and hardware
- Physical security measures at facilities
- Operating systems and mobile devices
- Data repositories
- Identification and authentication devices and programs
- Compliance standards
A SRA will help you build better policies to govern how PHI and ePHI is protected. It also offers some assistance in preventing many other digital disasters such as the introduction of malware, viruses and ransomware to your network and digital devices. It will identify lax area of IT governance that may otherwise go unnoticed until it’s too late. If there is a breach or failure, your SRA will be your guide to reporting the breach and what steps to take to recover from the breach and minimize risk to PHI, ePHI and other data.
So How Do I Perform a Security Risk Assessment?
The first step is reviewing the HIPAA rules thoroughly. That will build a foundation for you to begin on. There are 156 yes or no questions you will need to answer once you are familiar with the HIPAA rules, but listing them falls outside the scope of this article. The second step is analyzing all current practices and procedures that affect data such as who can access data; where is the data stored; and determining what possible threats exist.
Next, compare your current policies and procedures with any related HIPAA requirements. Designate staff to create policies and review current policies. Develop training for current and new employees. Employees, even those that do not directly affect or have access to PHI, should be trained in HIPAA compliance. This is the administrative portion of your SRA.
What physical safeguards are in place? Determine how you will protect physical devices such as USB drives, tablets, laptops, desktops, servers and printed documents. Are doors except for the main entrance kept locked? Who has keys to those doors? How will you dispose of hard drives or other storage media when it is replaced or reaches the end of its life? These are some of the questions you will need answers for to develop the physical portion of your SRA.
The technical portion of the SRA will incorporate all the policies and procedures you have in place to keep hackers out, prevent hardware failures and encrypt data to name a few. Consult your IT staff to determine what measures are taken to protect hardware such as servers and laptops. How is data moved or transmitted? How are user roles and authentication determined? How are you preventing data corruption and how would you recover corrupted data? What happens when a breach occurs? Again, this is a sample of the questions you will need to be prepared to answer.
If you don’t have all the necessary policies or procedures in place, completing a SRA will show you what is missing. Then it’s just a matter of analyzing that portion of your security and developing policies to govern it.
Risk analysis should be an ongoing process. Just because the SRA is complete doesn’t mean the PHI you protect is safe. As technology advances so should your efforts to adapt your policies to meet new security demands. Review your SRA annually to ensure you remain HIPAA compliant and the PHI or ePHI you protect remains safe.